cline / bearer
Stripe-style typed API tokens with groups, environments, and audit logging for Laravel
Maintainers
Requires
- php: ^8.5.0
- cline/ancestry: ^2.0.3
- cline/morphism: ^2.0.1
- cline/variable-keys: ^2.0.3
- facade/ignition-contracts: ^1.0.2
- laravel/framework: ^10.0 || ^11.0 || ^12.56 || ^13.0
- spatie/laravel-package-tools: ^1.93.0
Requires (Dev)
- cline/coding-standard: ^3.2.1
- cline/warden: ^5.0.3
- mockery/mockery: ^1.6.12
- orchestra/testbench: ^8.0 || ^9.0 || ^10.11
- spatie/laravel-activitylog: ^4.12.3
- symfony/var-dumper: ^6.0 || ^7.4.6 || ^8.0
Suggests
- cline/warden: Use the Warden ability provider for owner-based authorization checks.
README
Stripe-style typed API tokens with groups, environments, and audit logging for Laravel. Features conductor-based API, token rotation, revocation strategies, seamless Sanctum integration, and optional recoverable legacy tokens for systems that must display keys after creation.
Requirements
Requires PHP 8.4+ and Laravel 11+
Installation
composer require cline/bearer
If you want Bearer to delegate runtime ability checks to Warden, install Warden in your application and switch the authorization driver:
composer require cline/warden
// config/bearer.php 'authorization' => [ 'default' => env('BEARER_AUTHORIZATION_DRIVER', 'array'), ],
array remains the default provider. warden requires both the token's
stored ability scope and the token owner's Warden permission to pass.
Bearer also honors the configured morph key map when hydrating token
ownership relations. If your User, Organization, or other owner model
uses ulid or uuid as its primary key, configure the relevant entry in
morphKeyMap or enforceMorphKeyMap and Bearer will resolve owner,
context, and boundary correctly.
Documentation
- Getting Started - Installation, configuration, and first steps
- Basic Usage - Creating, validating, and managing tokens
- Authentication - Integrating with Laravel authentication
- Custom Token Types - Defining typed tokens with abilities
- Token Metadata - Attaching and querying token metadata
- Derived Keys - Hierarchical token derivation for resellers
- Revocation & Rotation - Token lifecycle management
- IP & Domain Restrictions - Network-based access control
- Rate Limiting - Throttling token usage
- Usage Tracking - Monitoring token activity
- Audit Logging - Recording token events
- Token Generators - Custom token generation strategies
Change log
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING and CODE_OF_CONDUCT for details.
Security
If you discover any security related issues, please use the GitHub security reporting form rather than the issue queue.
Credits
License
The MIT License. Please see License File for more information.