USE CASE

A Ready-Made Mobile App Backend in PHP & SQLite

You built the app. Now it needs server-side Apple/Google sign-in, token issuance, a per-user data API and an admin panel — without Firebase lock-in or hand-rolling JWT verification.

What you get

The whole server side of a mobile app, already built and documented.

Real provider auth

Apple, Google and passwordless magic-link sign-in. Provider id_tokens are verified against the live Apple/Google keys (JWKS) — audience, issuer and expiry checked — so a forged or replayed login cannot impersonate a user.

Bearer-token JSON API

Sign-in mints a bearer app_token your app stores. /app_me, profile and an items CRUD are gated by that token — a clean JSON API over per-user data.

Operator console

An admin pack to see users, revoke tokens and manage app data — the back office you would otherwise build by hand.

A PHP backend for React Native & Expo apps

Your React Native or Expo app does the native Apple or Google sign-in, then exchanges the provider id_token for a bearer token — a few lines of fetch, no SDK required:

POST /api.php?action=app_auth_apple
  { "id_token": "…", "nonce": "…" }
→ { "token": "at_9f3…" }

GET /api.php?action=app_me
  Authorization: Bearer at_9f3…
→ { "ok": true, "user": { … } }

From there every request just carries the bearer token. Full setup, the exact env vars (APPLE_APP_AUD, GOOGLE_APP_AUD) and the endpoint reference live in APP_BACKEND.md in the download.

  • SQLite is plentyA per-user data API on one box does not need a managed database — SQLite in WAL mode handles it.
  • No Firebase lock-inIt is your server, your data, your auth. Self-host on a small VPS instead of renting a backend.
  • Self-host on a $5 VPSFixed monthly cost that does not climb with your daily active users.
  • Documented, not magicAPP_BACKEND.md walks the auth flow, the API, and how to verify it works.

A mobile app backend template, not a tutorial

Search this problem and you get years-old blog tutorials that stop at returning JSON from a PHP file — no token verification, no revocation, no admin, nothing you would put in front of paying users. This is the other thing: a working backend you deploy, with Apple/Google id_tokens verified against the live JWKS keys, bearer tokens you can revoke from the console, and migrations for the schema. If you want the full picture — native SwiftUI and Compose apps included on top of this API — see the SaaS boilerplate with native apps page, or the Firebase alternative page for the self-hosting argument.

TRY IT LIVE

Poke the backend before you buy.

The app-backend demo runs the real auth and API.