devise api authentication

devise api authentication  using -'ruby-on-rails,ruby,json,api,devise'

I am working on a rails web application that also provides JSON based API for mobile devices . mobile clients are expected to first obtain a token with (email/pass), then clients will make subsequential API calls with the token.

I am pretty new to Devise, and I am looking for a Devise API look like "authenticate(email, pass) and expect it to return true/false, then based on that I will either create and hand back the token or return a decline message. but seems Devise doesn't provide something like this.

I am aware that Devise 1.3 provides JSON based auth, but that's a bit different from what I need - I need to generate token and handle back to client, then after that auth is done using the token instead.

Can someone please give some pointers?

asked Oct 23, 2015 by abhi
0 votes
1 view

4 Answers

0 votes

There is a devise configuration called :token_authenticatable. So if you add that to the devise method in your "user", then you can authenticate in your API just by calling


You'll probably want this in your user as well:

before_save :ensure_authentication_token

UPDATE (with API authorization code)

The method you're looking for are:

resource = User.find_for_database_authentication(:login=>params[:user_login][:login])

here's my gist with a full scale JSON/API login with devise

answered Oct 23, 2015 by mtabakade
0 votes

Devise is based on Warden, an authentification middleware for Rack.

If you need to implement your own (alternative) way to authenticate a user, you should have a look at Warden in combination with the strategies that ship with Devise:

answered Oct 23, 2015 by kinnari
0 votes

I would recommend reading through the Devise Wiki, as Devise natively supports token authentication as one of it's modules. I have not personally worked with token authentication in Devise, but Brandon Martin has an example token authentication example here.

answered Oct 23, 2015 by badhwar.rohit
0 votes

If token auth just isn't what you want to do, you can also return a cookie and have the client include the cookie in the request header. It works very similar to the web sessions controller.

In an API sessions controller

class Api::V1::SessionsController < Devise::SessionsController

  skip_before_action :authenticate_user!
  skip_before_action :verify_authenticity_token

  def create
    warden.authenticate!(:scope => :user)
    render :json => current_user


In Routes

namespace :api, :defaults => { :format => 'json' } do
  namespace :v1 do
    resource :account, :only => :show
    devise_scope :user do
      post :sessions, :to => 'sessions#create'
      delete :session, :to => 'sessions#destroy'

Then you can do this sort of thing (examples are using HTTPie)

http -f POST localhost:3000/api/v1/sessions user[email] user[password]=passw0rd

The response headers will have a session in the Set-Cookie header. Put the value of this in subsequent requests.

http localhost:3000/api/v1/restricted_things/1 'Cookie:_my_site_session=; path=/; HttpOnly'
answered Oct 23, 2015 by abhi