This guide covers how to deploy credential defense on login forms. There are numerous variables to take into account for a deployment, and we will try to cover as much as possible in this guide.

Upon completion of deploying credential defense to login pages, you will have visibility into and/or control over the complexity requirements and different weaknesses the credentials of your user base use to access your web app.

Deploying credential defense on login forms offers extended visibility and control to the login procedure while not introducing any new friction to the user experience. Ultimately, if there is a weakness(dark web, commonly used, complexity, etc.) in the password of a succesfful login, Cymatic can take the user to your existing reset password flow to mitigate the threat. While these password policy checks are performed on the registration and password reset forms as covered in Credential Defense for Registration and Password Reset Forms, for complete coverage it is recommended to deploy on the login form as well. If a password created at registration time meets your criteria, it will be accepted. However, if over time that clean password has been leaked to the dark web, determined to be a commonly used password, or you change your complexity requirements, the check performed at login will detect the discrepancy and mitigate the threat. Since Cymatic also checks the password reset form, we can confirm the new password meets your current credential defense policy.

With the addition of credential defense, there are three login attempt scenarios that need to be taken into consideration.
If the account does not exist, deny login
If the account exists, however the passsword violates the policy configured in Cymatic, allow login and redirect to your password reset flow
If the account exists and the password meets the policy configured in Cymatic, allow login

For the scenario where the user is redirected to your password reset flow, it may be beneficial to notify the user why they need to reset their password.
To perform the following steps, you will need access to modify the HTML of the web application pages you would like to deploy Cymatic on.
Snippet deployment

As covered in the other deployment guides, the snippet should be injected into the head section of the HTML code for the registration and password reset pages.

Add the token to your form

One of the values of adding the Cymatic API integration is to confirm that the data seen in the SDK that runs in the user's browser is the same as what is seen on your web app. This is done via a token added to your existing login form. Within the login form, add the following div:
<div class="form-group">
   <input id           = "cy-token"
              name     = "cy-token"
              type       = "hidden"

SDK initialization

The SDK needs to be aware of the new token defined in the previous step. This is done by defining the token in the initialization script with the token attribute. If the code from the prior step was used, then token:'#cy-token' can be added to the initialization script on the login page. All together, the initialization snippet would appear similar to the following:
<script>CymaticXid.v2.init({ login: { selector:'#login_form', username:'#username', password:'#password', token:'#cy-token', submit:'#clicked' }});</script>

If assistance is needed with determininig the other selectors on the login page, please refer to the Deployment for Login Forms guide.

Install the Cymatic credential defense package


To add the credential defense for login forms package to a site running on PHP, the Composer application needs to be installed on the server hosting the site. If it is not already installed, please follow the directions for installation found at

Once Composer is installed and running, run the following command from the web page root directory. For example, if your server is running Apache, the root directory for web pages is /var/www.
composer require cymatic/php-api:dev-master

This will install all packages necessary to operate Cymatic credential defense for login forms.

Add the following lines to the top of the login page HTML code


In the PHP section at the top of the login form code, add the following:

require 'vendor/autoload.php';
use CymaticApi\Cymatic;
$cytoken = $_POST['cy_token'];

To minimize unnecessary lookups with the Cymatic API, it is recommended to use the following code block after the username and password pair have been confirmed to be a legitimate user account for your web app.
To confirm the password meets your password policy as defined in the Cymatic app, use the following code block:
$settings = [
  "tenant" => [
    "name" => "cymatic",
    "clientId" => "xxxxxx-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxx",
    "secret"   => "xxxxxx-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxx",

$cymatic = new Cymatic($settings);

try {
  $payload = [
    "token" => $cytoken,
  $verification = $cymatic->verify($payload);
} catch (\Throwable $th) {
  echo $th;

The clientId and secret elements are unique per site. You can find these values in the Cymatic platform for your site at settings > installation > API. These values can then be insterted into the code block for use.
The above code block is just a sample and by itself will not take action on a successful login. What happens with the data Cymatic returns ultimately needs to be written into your web app. For example, the following code block will take a successfully authenticated account that does not meet your current password policy and direct the user into a password reset flow:
try {
  $payload = [
    "token" => $cytoken,
  $verification = $cymatic->verify($payload);
  if ( $count == 1 && !$verification["credentials"]["password"]["valid"] )  {
    $_SESSION['login_user'] = $myusername;
    setcookie("username", $myusername, time()+3600, "/", "" );
    header("location: dwprst.php");
Was this article helpful?
Thank you!