The steps below are from a browser REST client, and not specific to PHP.
The assumption is that the security key is already obtained.
To create a defect:
URL:
https://rally1.rallydev.com/slm/webservice/v2.0/Defect/create?key=f8e4afc5-....
Method: POST
Payload:
{
"Defect":{
"Name": "bad defect"
}
To update the same defect:
Browser maintains the session, and as long as the session is not terminated, the same security token can be used.
If the session was terminated ,e.g. due by the user or due to inactivity, a new token must be requested. Below it is assumed that the same token is still valid. Note that the payload has to include only the fields that are being updated, but "Defect" work item type must be specified also.
URL:
https://rally1.rallydev.com/slm/webservice/v2.0/defect/15297487557?key=f8e4afc5-....
Method: POST
Payload:
{"Defect":{
"Description":"pretty bad defect",
"State":"Open",
"Owner":"/user/12361716944"
}
}
The browser maintains the session automatically, and the Ruby, Java or .NET REST toolkits Rally supports also take care of that for the user, but with PHP you need to to do this in your code manually. This post about a cURL example may help.