Early Version of Laravel Airlock is Available for Testing


January 9th, 2020

Early Version of Laravel Airlock is Available for Testing

Taylor Otwell shared that an early version of Laravel Airlock is currently available on GitHub. Airlock “provides a featherweight authentication system for SPAs and simple APIs.”

If you have any interest or experience in working with Single Page Applications (SPA), you can help test this package:

I'd like to get some beta testers on Laravel Airlock… I have put up initial documentation here: https://t.co/BFPasv1BCZ

— Taylor Otwell (@taylorotwell) January 8, 2020

At a high level here’s some of the highlight features:

  • Secure SPA Authentication with CSRF protection
  • API tokens
  • API token abilities (i.e., scopes)
  • Mobile application authenciation
  • Token revocation

I want to emphasize that this is an early version of the package, but it feels pretty stable and well-thought-out to me. Be courteous and respectful in providing feedback about Airlock so we can help contribute input as a community in a positive way.

I started experimenting with Airlock and have a few takeaways so far that will help you get started in trying it out:

Airlock will work with Laravel 6.x, but I’d recommend using Laravel v7.x to try it out. You’ll need to use Laravel UI 2.x to scaffold Auth and UI files:

laravel new --dev airlock-demo
composer require laravel/airlock laravel/ui:^2.0
php artisan vendor:publish
# If you're going to use Vue, for example
php artisan ui vue --auth

Second, don’t forget to configure the allowed stateful domains in config/airlock.php. For example, if you’re using Valet and your local domain is airlock-demo.test you’d add the following:

'stateful' => [

The stateful configuration works in tandem with the EnsureFrontendRequestsAreStateful middleware that ships with Airlock. It’s a good place to start investigating how Airlock works. In summary, the middleware makes routes stateful for recognized referrers and remains stateless for everyone else. Users authenticating with a token can access API routes in a stateless way, while SPA users get a secure session.

Besides SPA authentication, Airlock provides API tokens that function similar to personal access tokens. Along with API tokens you can define abilities which are similar to OAuth scopes:

return $user->createToken('token-name', ['server:update'])->plainTextToken;

You can determine if the token provided has an ability using tokenCan on the authenticated user:

if ($user->tokenCan('server:update')) {

If you interested in more info, listen to Laravel Snippet #20 which touches on SPA authentication, among other Laravel topics.

Airlock is likely to be released around the same time as Laravel 7.x and leverages upcoming features like JSON responses for authentication routes. You can learn more about this package, get full installation instructions, and view the source code on GitHub at laravel/airlock.

Filed in:

Paul Redmond

Full stack web developer. Author of Lumen Programming Guide and Docker for PHP Developers.