Your aes-256-gcm encryption standard to decrypt the user object is only supported with PHP 7.1 and up.
It took me a while to figure out due to it silently failing for older versions (see bug).
This adds a complication for app development. See also the stats:
I propose to add a note in the docs in the php example, or offer an alternative secure standard?