The function password_verify() in the new PHP password API checks if the password corresponds to the hash. The hash is generated by password_hash(), that by default uses a random salt and a cost = 10.
I always thought (although I never studied it) that you have to store the salt inside the database and then when you want to verify the password, hash it with the given salt using the same cost. How can password_verify() check the password without knowing salt and cost?
