Laravel Bastion - A Stripe-inspired API authentication package

Laravel Bastion is a Stripe-inspired API authentication package created by Steve McDougall with environment isolation, granular scopes, built-in security, and more.

#Features

• Stripe-style API Tokens - Prefixed tokens with environment indicators (app_test_pk_, app_live_sk_)
• Environment Isolation - Separate test and live environments with automatic validation
• Granular Scopes - Fine-grained permission control with wildcard support
• Token Types - Public, Secret, and Restricted keys with different access levels
• Audit Logging - Comprehensive activity tracking for compliance and debugging
• Webhook Support - Built-in webhook endpoints with signature verification
• Security First - Expiration dates and secure token hashing
• Laravel Native - Built with Laravel conventions and best practices

After installing this package, you'll want to ensure you add the HasBastionTokens trait to your User model:

use JustSteveKing\Bastion\Concerns\HasBastionTokens;
 
class User extends Authenticatable
{
    use HasBastionTokens;
 
    // ...
}

Then, to generate a token, you can:

use JustSteveKing\Bastion\Enums\TokenEnvironment;
use JustSteveKing\Bastion\Enums\TokenType;
 
$result = $user->createBastionToken(
    name: 'LN API Key',
    scopes: ['posts:read', 'posts:write'],
    environment: TokenEnvironment::Test,
    type: TokenType::Restricted,
);
 
$token = $result['plainTextToken'];
// Example: app_test_rk_a8Kx7mN2pQ4vW9yB1cD3eF5gH6jK8lM
 
echo "Token: " . $token;

To protect your routes, Bastion provides the AuthenticateToken middleware:

use JustSteveKing\Bastion\Http\Middleware\AuthenticateToken;
 
Route::middleware(AuthenticateToken::class)->group(function () {
    Route::get('/api/posts', [PostController::class, 'index']);
});

And when sending requests to an authenticated endpoint, you should pass the token via the Authorization header using the Bearer schema:

use GuzzleHttp\Client;
 
$client = new Client(['base_uri' => 'https://example.com/api']);
$token = 'YOUR_BEARER_TOKEN';
 
$response = $client->request('GET', '/posts', [
        'headers' => [
                'Authorization' => 'Bearer ' . $token,
                'Accept'        => 'application/json',
        ],
]);

If you also need to rotate your tokens, then Bastion has you covered. Use the rotate() method:

$result = $token->rotate();

And there is even an option to use the CLI:

php artisan bastion:rotate {token-id}

Speaking of the CLI, Bastion allows you to manage your tokens using various Artisan commands:

# Generate tokens
php artisan bastion:generate {user-id} "LN App Token" \
    --environment=test \
    --type=restricted \
    --scopes=posts:read --scopes=posts:write
 
# Revoke tokens
php artisan bastion:revoke {token-id} --reason="Token no longer used"
 
# Prune expired tokens
php artisan bastion:prune-tokens --expired
 
# and more...

Steve has put together a handy package with a good set of features. To learn more about Bastion, its features, and view the source code, hop on over to the GitHub repository.