feat(php): support omitting username/password from basic auth when configured in IR

generators/php/dynamic-snippets/src/EndpointSnippetGenerator.ts

@@ -321,16 +321,24 @@ export class EndpointSnippetGenerator {
         auth: FernIr.dynamic.BasicAuth;
         values: FernIr.dynamic.BasicAuthValues;
     }): NamedArgument[] {
-        return [
-            {
+        // usernameOmit/passwordOmit may exist in newer IR versions
+        const authRecord = auth as unknown as Record<string, unknown>;
+        const usernameOmitted = !!authRecord.usernameOmit;
+        const passwordOmitted = !!authRecord.passwordOmit;
+        const args: NamedArgument[] = [];
+        if (!usernameOmitted) {
+            args.push({
                 name: this.context.getPropertyName(auth.username),
                 assignment: php.TypeLiteral.string(values.username)
-            },
-            {
+            });
+        }
+        if (!passwordOmitted) {
+            args.push({
                 name: this.context.getPropertyName(auth.password),
                 assignment: php.TypeLiteral.string(values.password)
-            }
-        ];
+            });
+        }
+        return args;
     }
 
     private getConstructorEnvironmentArg({

generators/php/sdk/src/root-client/RootClientGenerator.ts

@@ -355,26 +355,25 @@ export class RootClientGenerator extends FileGenerator<PhpFile, SdkCustomConfigS
                 const basicAuthSchemes = this.context.ir.auth.schemes.filter(
                     (s): s is typeof s & { type: "basic" } => s.type === "basic"
                 );
-                if (basicAuthSchemes.length > 0) {
+                const resolvedBasicAuthSchemes = basicAuthSchemes
+                    .map((scheme) => this.resolveBasicAuthScheme(scheme))
+                    .filter((resolved) => resolved != null);
+                if (resolvedBasicAuthSchemes.length > 0) {
                     const isAuthOptional = !this.context.ir.sdkConfig.isAuthMandatory;
-                    for (let i = 0; i < basicAuthSchemes.length; i++) {
-                        const basicAuthScheme = basicAuthSchemes[i];
-                        if (basicAuthScheme == null) {
+                    const needsControlFlow = isAuthOptional || resolvedBasicAuthSchemes.length > 1;
+                    for (let i = 0; i < resolvedBasicAuthSchemes.length; i++) {
+                        const resolved = resolvedBasicAuthSchemes[i];
+                        if (resolved == null) {
                             continue;
                         }
-                        const usernameName = this.context.getParameterName(basicAuthScheme.username);
-                        const passwordName = this.context.getParameterName(basicAuthScheme.password);
-                        if (isAuthOptional || basicAuthSchemes.length > 1) {
-                            const controlFlowKeyword = i === 0 ? "if" : "else if";
-                            writer.controlFlow(
-                                controlFlowKeyword,
-                                php.codeblock(`$${usernameName} !== null && $${passwordName} !== null`)
-                            );
+                        const { condition, credentialExpr } = resolved;
+                        if (needsControlFlow) {
+                            writer.controlFlow(i === 0 ? "if" : "else if", php.codeblock(condition));
                         }
                         writer.writeLine(
-                            `$defaultHeaders['Authorization'] = "Basic " . base64_encode($${usernameName} . ":" . $${passwordName});`
+                            `$defaultHeaders['Authorization'] = "Basic " . base64_encode(${credentialExpr});`
                         );
-                        if (isAuthOptional || basicAuthSchemes.length > 1) {
+                        if (needsControlFlow) {
                             writer.endControlFlow();
                         }
                     }
@@ -605,8 +604,12 @@ export class RootClientGenerator extends FileGenerator<PhpFile, SdkCustomConfigS
             case "basic": {
                 const username = this.context.getParameterName(scheme.username);
                 const password = this.context.getParameterName(scheme.password);
-                return [
-                    {
+                // When omit is true, the field is completely removed from the end-user API.
+                const usernameOmitted = !!scheme.usernameOmit;
+                const passwordOmitted = !!scheme.passwordOmit;
+                const params: ConstructorParameter[] = [];
+                if (!usernameOmitted) {
+                    params.push({
                         name: username,
                         docs: this.getAuthParameterDocs({ docs: scheme.docs, name: username }),
                         isOptional,
@@ -616,19 +619,22 @@ export class RootClientGenerator extends FileGenerator<PhpFile, SdkCustomConfigS
                             isOptional
                         }),
                         environmentVariable: scheme.usernameEnvVar
-                    },
-                    {
+                    });
+                }
+                if (!passwordOmitted) {
+                    params.push({
                         name: password,
-                        docs: this.getAuthParameterDocs({ docs: scheme.docs, name: username }),
+                        docs: this.getAuthParameterDocs({ docs: scheme.docs, name: password }),
                         isOptional,
                         typeReference: this.getAuthParameterTypeReference({
                             typeReference: STRING_TYPE_REFERENCE,
                             envVar: scheme.passwordEnvVar,
                             isOptional
                         }),
                         environmentVariable: scheme.passwordEnvVar
-                    }
-                ];
+                    });
+                }
+                return params;
             }
             case "header": {
                 const name = this.context.getParameterName(scheme.name);
@@ -755,6 +761,46 @@ export class RootClientGenerator extends FileGenerator<PhpFile, SdkCustomConfigS
         return docs ?? `The ${name} to use for authentication.`;
     }
 
+    /**
+     * Resolves a basic auth scheme into its null-check condition and credential expressions,
+     * accounting for omitted username/password fields. Returns undefined if both fields are omitted.
+     */
+    private resolveBasicAuthScheme(
+        scheme: FernIr.AuthScheme & { type: "basic" }
+    ): { condition: string; credentialExpr: string } | undefined {
+        const usernameName = this.context.getParameterName(scheme.username);
+        const passwordName = this.context.getParameterName(scheme.password);
+        const usernameOmitted = !!scheme.usernameOmit;
+        const passwordOmitted = !!scheme.passwordOmit;
+
+        if (usernameOmitted && passwordOmitted) {
+            return undefined;
+        }
+
+        const conditions: string[] = [];
+        if (!usernameOmitted) {
+            conditions.push(`$${usernameName} !== null`);
+        }
+        if (!passwordOmitted) {
+            conditions.push(`$${passwordName} !== null`);
+        }
+
+        // Build a clean credential expression without redundant empty-string concatenation.
+        let credentialExpr: string;
+        if (usernameOmitted) {
+            credentialExpr = `":" . $${passwordName}`;
+        } else if (passwordOmitted) {
+            credentialExpr = `$${usernameName} . ":"`;
+        } else {
+            credentialExpr = `$${usernameName} . ":" . $${passwordName}`;
+        }
+
+        return {
+            condition: conditions.join(" && "),
+            credentialExpr
+        };
+    }
+
     private getRootSubpackages(): FernIr.Subpackage[] {
         return this.context.ir.rootPackage.subpackages
             .map((subpackageId) => {

generators/php/sdk/src/wire-tests/WireTestGenerator.ts

@@ -489,9 +489,13 @@ export class WireTestGenerator {
                 bearer: () => {
                     authParams.push("token: 'test-token'");
                 },
-                basic: () => {
-                    authParams.push("username: 'test-user'");
-                    authParams.push("password: 'test-password'");
+                basic: (basicScheme) => {
+                    if (!basicScheme.usernameOmit) {
+                        authParams.push("username: 'test-username'");
+                    }
+                    if (!basicScheme.passwordOmit) {
+                        authParams.push("password: 'test-password'");
+                    }
                 },
                 header: (header) => {
                     const paramName = this.case.camelSafe(header.name);

generators/php/sdk/versions.yml

@@ -1,4 +1,16 @@
 # yaml-language-server: $schema=../../../fern-versions-yml.schema.json
+- version: 2.4.0
+  changelogEntry:
+    - summary: |
+        Support omitting username or password from basic auth when configured via
+        `usernameOmit` or `passwordOmit` in the IR. Omitted fields are removed from
+        the SDK's public API and treated as empty strings internally (e.g., omitting
+        password encodes `username:`, omitting username encodes `:password`). When
+        both are omitted, the Authorization header is skipped entirely.
+      type: feat
+  createdAt: "2026-04-02"
+  irVersion: 66
+
 - version: 2.3.2-rc.0
   changelogEntry:
     - summary: |