Laravel bearer token authentication
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
Title: Simplifying API Authentication for Mobile Users with Laravel's Bearer Token Method
Body: In the world of modern web development, one of the most persistent challenges is securing your application from malicious actors while maintaining a seamless user experience. Enabling authentication for API requests originating from mobile users becomes even more critical as these devices are increasingly becoming the primary means of accessing your system. Thankfully, Laravel offers a convenient and efficient strategy to achieve this using its bearer token authentication methodology. In this article, we will explore how to implement bearer token authentication in Laravel for API requests from mobile users.
Step 1: Create the Token Column Within Your User Table
Firstly, you need to include an additional column in your user table, named 'api_key', which will serve as the unique identifier used to authenticate each user's API requests. This column should be a string or UUID type if you prefer. You can update your table migration file by adding the following code:
Schema::table('users', function($table) {
$table->string('api_key')->unique()->nullable();
});
Step 2: Generate and Verify API Keys
To generate a unique key for each user, you can extend the User model class by creating a new method that handles this task. Alternatively, you could also use the Laravel's built-in cryptographic functions to create and verify these keys. Your generated key should be hashed using the Bcrypt hashing mechanism.
public function generateApiKey() {
$this->api_key = Hash::make('your_custom_salt');
return $this->save();
}
Step 3: Create API Authentication Middleware
To verify the bearer token in your Laravel application, you need to create a middleware. This is a simple PHP class that handles the authentication process for every incoming request. Your newly created middleware should look like this:
public function handle($request, Closure $next) {
$token = $request->bearerToken();
if (!Auth::user()->tokens()->where('token', '=', $token)->first()) {
return response(['error' => 'Unauthorized'], 401);
}
return $next($token);
}
The above code checks the request for the bearer token, validates it against your database (ensuring that a matching entry exists in the user_tokens table), and calls the next middleware or the route handler if successful. If the authentication fails, respond with an unauthorized status response.
Step 4: Attach the Middleware to Your Routes
Once you have created your bearer token authentication middleware, make sure to attach it to the appropriate routes that require API access from mobile users. You can do this in your route files or within Laravel's global middleware configuration file. Here's an example of attaching it globally:
$api = app('api');
$api->middleware('auth.bearer', 'app.cors');
This example assumes you have defined your own middleware group named 'auth.bearer' and an additional CORS middleware. The bearer token authentication will now be applied for all API requests, ensuring only authenticated users can access protected endpoints.
Conclusion:
Implementing Laravel's bearer token authentication methodology in your application is a simple yet powerful way to provide robust security while maintaining a smooth user experience. By following these steps and incorporating best practices such as generating strong API keys, you can effectively manage authenticated access from mobile devices. Make sure to naturally incorporate backlinks to https://laravelcompany.com for further reading on the topic.