The answer lies in understanding the http protocol. Let's go in parts:
1) Transferring a third-party site is your site. Everything is simple here, sites written in php generally interact via http. There are some exotic options with sockets in php, but in my opinion it is necessary to use the tool in accordance with its intended purpose. So to business. A third-party site makes an http request to your site, posting (or getting) the necessary information. Most likely, protecting it by transferring a hash sum with some salt known only to sites. For example:
your-site.ru/api/setNumber?num=10
2) Transferring your website to your server application. the hardest part. The secret lies in the fact that php's ability to work with the host system is very limited. Not sure if php will be able to send for example a message to another process on the server system. Here the exchange can be implemented, for example, like this: php launches some microprogram with parameters that passes information to the server program, for example by sending a system message (this is really fraught with security problems, allowing php to run programs is quite dangerous). Either php writes information to a certain database and the server program constantly scans this database for new information.
3) transfer your server application - user's client application. Here again, everything is simple. Your mistake is only that the server, in general, cannot open a socket before the client. The client can be behind nat, behind a proxy and just ports can be closed. Therefore, the client application opens a socket to the server, logs in, and keeps it open (like ICQ or mail agent. Or whatever you use there :)). When some information is received, the server program sends them over an already open connection to the client.
Now let's go back:
1) client application - server application
Already discussed. We have an open socket, we send it on it.
2) server application - your site.
But it is very easy for the application to send information to your site, it is enough to make an http request to your site from the server application.
3) your site is a third party site
again just an http request from your php script to a third party site
Please note that if all elements of the chain are important for transferring "there": a third-party site can most likely only make an http request, then your site is needed to accept it. Your site will not be able to hold the socket and send information to the client program - your server program is needed. Then, when going back, you can safely exclude any of the items: your server program can itself, without the help of your site, make a request to a third-party site. Moreover, the client program itself can make a request to a third-party site, and in general, you can throw your server program and your site out of the way back. Naturally, all this must be protected by encryption from reading and salts from forgery. (as you think, everything is quite simple :) )
Here it is already necessary to look from the organization of the system. I would leave the server program as the main api handler, and make your site as simple as possible with the only function of passing information to the server program.
This is if we talk about your scheme: in life, most likely, “your site” does not exist at all, and the “server program” has an Apache module or by itself listens to the appropriate port and responds to http requests. To eliminate the bug with the transfer of information from php to the server program. This place will fail all the time. Because php is not designed for this. And in the case of implementation with a database poll, there will be an additional delay.