API Token Creation for Authentication in Laravel 5.2

by Noor Ali  January 12, 2017

In this article, I will discuss Laravel API token authentication, a very important topic in web app and website security. I will demonstrate the basis of API token authentication and how easily you could implement the idea in your project.

API Token Authentication Laravel

What is API Token Authentication

The traditional process of interacting with a website is that you login from the login page. Next, you perform you desired actions and then log out. However, in the case of REST API, the process is quite different. The traditional procedure does not work in the case of RESTful APIs because the methods used on login page does not make any sense. You need to use api_token instead.

All you need to do is to append the api_token to the query string before making a request and the  request is authenticated.

Now what Laravel 5.2 offers is quite interesting! You can easily implement this idea using the  TokenGuard library of Laravel.

To demonstrate the idea, I will make a simple application, in which users can register themselves, and by using their api tokens, will try to post some data into the database. If Laravel API Guard allows the token, the  data will be posted to the database. If the token is rejected, an exception is thrown.


For the purpose of this article, I assume that

  1. You have a Laravel 5.2 app on a Cloudways managed server. If not, sign up now and create a host it for free.
  2. You have executed the following command in the public_html directory of the app

If you do not have a Cloudways account, signup here. Check out the guide for setting up a Laravel 5.2 application on Cloudways server.

Create the Database

The first order of business is the creation of the database for the users where the user generated would be posted. This database would be named notes. The users could post data to this database using API and API tokens. These tokens are randomly generated. I will use artisan to create this database.

In the folder public_html/database/migrations,  create this file below. This file will create the user database once I instruct artisan later on.

Now in public_html/database/migrations, create the following file:

Once done, create another file in the same directory:


Once done, run the following command in public_html directory. This will create the databases:

laravel migration

Encapsulate the Routes

I will now create a wrapper that will include a Laravel’s MiddleWare for all the routes that I will use via Token Authentication. Check out the following example:

I have used the auth middleware for protecting the routes from unauthenticated users. By appending :api, I am simply telling Laravel to switch to the api guard, which is set up in the config/auth.php.

Another important benefit of wrapping the routes in the middleware, the users accessing the API must present the api_token along with the request. Without the api_token, the user will receive specific error.

Make the Controllers

The next step is the creation of controllers.

First, I will make a slight change in the auth controller residing inside the public_html/app/Http/Controller/auth/


Next, I will make the  HomeController:

Once done, I will look into the NoteController that will insert the notes created by the users.

Make the Models

Testing the App

The app is finished and it is now time to check the functionality of the app. The first step is to register a user. To do this, visit the URL of the application.

register new user

Once registered, get the api_token for the user. For this, launch the Database Manager from Application Access Detail page of the Platform. Once launched, you could see the new user and the associated api_token. Copy this token to a text file.


Now I will make a curl POST request:


If done successfully you will see response similar to this

api response 1

To test an alternate scenario, make a slight alteration in the api_token. The response will change into this:

api response 2

Now, I will try out the GET request with the api_token:

api response 3

You can change the api_token and you will see that you will be directed to the login page instead of the result.


In this tutorial, I demonstrated how you could use api_token for setting up secure communication within your app. The complete code of the app is located here. If you would like to clarify a point discussed above or would like to extend the conversation, please leave a comment below.

Start Creating Web Apps on Managed Cloud Servers Now!

Easy Web App Deployment for Agencies, Developers and E-Commerce Industry

About Noor Ali

Noor Ali is an Associate Software Engineer at Cloudways. He loves to solve technical problems through programming and mathematics.

Stay Connected:

You Might Also Like...