# paradoxlabs/tokenbase

> Base module for ParadoxLabs tokenization payment methods.

`composer require paradoxlabs/tokenbase`

Canonical URL: https://packagento.com/paradoxlabs/tokenbase

## At a glance

- **Vendor**: paradoxlabs (https://packagento.com/paradoxlabs.md)
- **Latest version**: 5.0.0 — released 2026-06-17
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/paradoxlabs/tokenbase and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require paradoxlabs/tokenbase:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

Base module for ParadoxLabs tokenization payment methods.

## README

[![Latest Stable Version](https://poser.pugx.org/paradoxlabs/tokenbase/v/stable)](https://packagist.org/packages/paradoxlabs/tokenbase)
[![License](https://poser.pugx.org/paradoxlabs/tokenbase/license)](https://packagist.org/packages/paradoxlabs/tokenbase)
[![Total Downloads](https://poser.pugx.org/paradoxlabs/tokenbase/downloads)](https://packagist.org/packages/paradoxlabs/tokenbase)

<p align="center">
    <a href="https://www.paradoxlabs.com"><img alt="ParadoxLabs" src="https://paradoxlabs.com/wp-content/uploads/2020/02/pl-logo-canva-2.png" width="250"></a>
</p>

TokenBase is the foundational package for most ParadoxLabs extensions for Magento&reg;. It provides a tokenized card storage mechanism that is similar to but more featureful than Magento_Vault, and abstract components of a payment gateway implementation for Magento built around those stored cards.

Requirements
------------

* Adobe Commerce / Magento Open Source 2.4.6 – 2.4.9 (or equivalent version of Adobe Commerce Cloud), or Mage-OS 2.0 – 3.0
* PHP 8.1, 8.2, 8.3, 8.4, or 8.5
* composer 2

Features
--------

* Tokenized card storage
* Frontend and Admin Panel customer card management
* Stored Card service layer
* REST API coverage
* SOAP API coverage
* GraphQL API coverage
* Separated transaction logging to `tokenbase.log`
* Abstract payment method implementation
* Abstract payment gateway implementation

Installation and Usage
============

In SSH at your Magento base directory, run:

    composer require paradoxlabs/tokenbase
    php bin/magento module:enable ParadoxLabs_TokenBase
    php bin/magento setup:upgrade

**NOTE**: This is a shared library for other modules to build upon. It does not provide any functionality of its own and cannot be used without a separate supporting Magento extension such as [ParadoxLabs' Authorize.net CIM](https://github.com/ParadoxLabs-Inc/authnetcim) or [CyberSource](https://github.com/ParadoxLabs-Inc/cybersource) payment methods for Magento.

Changelog
=========

Please see [CHANGELOG.md](https://github.com/ParadoxLabs-Inc/tokenbase/blob/master/CHANGELOG.md).

Support
=======

This module is provided free and without support of any kind. You may report issues you've found in the module, and we will address them as we are able, but **no support will be provided here.**

**DO NOT include any API keys, credentials, or customer-identifying in issues, pull requests, or comments. Any personally identifying information will be deleted on sight.**

If you need personal support services, please [buy an extension support plan from ParadoxLabs](https://store.paradoxlabs.com/support-renewal.html), then open a ticket at [support.paradoxlabs.com](https://support.paradoxlabs.com).

Contributing
============

Please feel free to submit pull requests with any contributions. We welcome and appreciate your support, and will acknowledge contributors.

This module is maintained by ParadoxLabs for use in ParadoxLabs extensions. We make no guarantee of accepting contributions, especially any that introduce architectural changes.

License
=======

This module is licensed under [APACHE LICENSE, VERSION 2.0](https://github.com/ParadoxLabs-Inc/tokenbase/blob/master/LICENSE).

## Changelog

### 5.0.0 - Jun 17, 2026: PHP 8.1–8.5 compatibility

**WARNING: PHP 8.1 is now the minimum. `AbstractGateway::__construct` no longer takes
`ZendClientFactory` — gateways extending it must update their constructors.**

- Added support up to PHP 8.5; PHP 8.1+ is now required.
- Added unit test coverage.
- Changed `AbstractGateway` constructor signature (removed `ZendClientFactory` dependency).
- Fixed payment method instance not being re-applied to the card type instance before importing payment info.
- Refactored for PHP 8.1+: constructor property promotion, readonly properties, strict types, import cleanup, and `$escaper` usage in templates.

### 4.8.0 - Jan 7, 2026
- Added confirmation prompt before deleting stored payment cards.
- Added feature to auto-load invoice when clicking 'Credit Memo' from an order.
- Changed GraphQL to hard dependency, removing compatibility for Magento 2.2.
- Fixed card address changes not syncing to gateway on API card save, for applicable gateways. (#12, thanks @damienwebdev)
- Fixed card last_use timestamp not being set when saving a new card from My Payment Options.
- Fixed getTokenDetails potentially returning non-string value in some API requests.
- Fixed PHP 8.4 compatibility issue in AbstractMethod. (#11, thanks @richard-t-bermudez)

### 4.7.3 - Apr 23, 2025
- Added support for Magento 2.4.8 (monolog/monolog ^3.0).
- Fixed a Magento 2.3 compilation error.
- Fixed PHP 8.4 compatibility.

### 4.7.2 - Jan 13, 2025
- Fixed Instant Purchase failing to load vault payment.
- Fixed PHP 7.1-7.2 compatibility (regression in 4.7.0).

### 4.7.1 - Oct 16, 2024
- Fixed checkout error message parameter replacement (causing "%1" rather than proper data in a message).
- Fixed CVV/ACH help tooltips showing up at the end of the page after open.
- Fixed the update feed checking too frequently, if the AdminNotification module is disabled.

### 4.7.0 - Jun 28, 2024
- Added CSP/SRI secure mode support for 2.4.0+ (2.4.7 checkout compatibility).
- Fixed payment extension attributes holding tokenbase_id values improperly.
- Fixed reorder applying the original payment method if a new card was entered.

### 4.6.1 - Feb 23, 2024
- Fixed NoSuchEntity exception on loading a Magento Vault card.

### 4.6.0 - Jan 23, 2024
- Added Instant Purchase support.
- Fixed Maestro Domestic matching to prevent false matches.

### 4.5.6 - Nov 9, 2023
- Added preliminary support for Magento 2.4.7-beta2.
- Fixed ACH form template on multishipping checkout.
- Fixed payment info incorrectly persisting and preventing new card entry after a payment decline or admin reorder.
- Fixed performance issue on order grid and order collection load. (#1 -- thanks @lbajsarowicz)
- Fixed possible error on 'Get Payment Update' if transaction is closed. (#4)

### 4.5.5 - May 11, 2023
- Changed license from proprietary to Apache 2.0. Issues and contributions are welcome on GitHub.
- Fixed hyphenated transaction IDs possibly being sent to payment gateway on refund.

### 4.5.4 - Mar 10, 2023
- Added compatibility for Magento 2.4.6.
- Changed GraphQL data assignment to allow order placement in a separate mutation. (Thanks Alfredo)
- Fixed disabled CC form fields on admin checkout.
- Fixed zero-total checkout handling.
- Fixed GraphQL tokenbase_id handling during order placement. (Thanks Damien, Tony)
- Fixed transaction being voided in error if 'quote failure' event runs despite the order saving successfully. (Thanks Michael)
- Fixed possible duplicate checkout submission by keyboard input.

### 4.5.1 - Apr 13, 2022
- Fixed monolog dependency for 2.4.4.

_(Changelog truncated for .md surface. Full history on https://packagento.com/paradoxlabs/tokenbase.)_

## Recent Versions

| Version | Released |
|---|---|
| 5.0.0 | 2026-06-17 |
| 4.8.0 | 2026-01-12 |
| 4.7.3 | 2025-04-23 |
| 4.7.2 | 2025-01-13 |
| 4.7.1 | 2024-10-16 |
| 4.7.0 | 2024-06-28 |
| 4.6.1 | 2024-02-23 |
| 4.6.0 | 2024-01-23 |
| 4.5.6 | 2023-11-09 |
| 4.5.5 | 2023-05-11 |

Showing 10 of 47 versions. Full release history on https://packagento.com/paradoxlabs/tokenbase.

## Dependencies

### Require

| Package | Constraint |
|---|---|
| ext-json | * |
| magento/framework | ^102.0\|\|^103.0 |
| magento/module-admin-notification | ^100.0 |
| magento/module-backend | ^100.0\|\|^101.0\|\|^102.0 |
| magento/module-checkout | ^100.0 |
| magento/module-config | ^100.0\|\|^101.0 |
| magento/module-customer | ^100.0\|\|^101.0\|\|^102.0\|\|^103.0 |
| magento/module-directory | ^100.0 |
| magento/module-instant-purchase | ^100.0 |
| magento/module-payment | ^100.0 |
| magento/module-quote | ^100.0\|\|^101.0 |
| magento/module-sales | ^100.0\|\|^101.0\|\|^102.0\|\|^103.0 |
| magento/module-store | ^100.0\|\|^101.0 |
| magento/module-vault | ^100.1\|\|^101.0 |
| monolog/monolog | ^1.11\|\|^2.0\|\|^3.0 |
| php | >=8.1 |

## Quality

Latest release (5.0.0) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Fail | 474 | 1 error, 473 warnings (ruleset: Magento2) — 36 auto-fixable with phpcbf |
| PHPMD | Warning | 120 | 120 rule violations (UnusedFormalParameter:61, CyclomaticComplexity:16, TooManyPublicMethods:14, ExcessiveParameterList:5, NPathComplexity:5) |
| Cpd | Warning | 11 | 11 duplicated chunks spanning 440 total lines (min-lines=5, min-tokens=70) |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | 131 | 131 | – | – |
| 2.4.8 | – | 131 | 131 | – |
| 2.4.9 | – | – | 125 | 125 |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["paradoxlabs/tokenbase"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

paradoxlabs is a Magento 2 vendor on Packagento. See https://packagento.com/paradoxlabs.md for their full catalogue.