mcgo / laravel-barekey
Pure API key auth, nothing more, nothing less.
Installs: 594
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
pkg:composer/mcgo/laravel-barekey
Requires
- laravel/framework: ^10.0|^11.0|^12.0
Requires (Dev)
- orchestra/testbench: ^8.0|^9.0|^10.0
README
Authenticate everything โ without users.
A minimal, stateless API key authentication guard for Laravel.
No sessions. No Sanctum. No users. Just pure, verifiable keys.
๐ Features
- ๐งฉ Stateless API key guard โ powered by
Auth::viaRequest() - ๐ Secure hashing (SHA-256) and prefix lookup for fast validation
- ๐ฏ Abilities / Scopes with wildcard support (
invoices:*) - even as route middleware - ๐ง Enum-friendly design for type-safe permission checks
- โก No database overhead beyond a single table for all your api keys
- ๐งฑ Works with Laravel Gates,
Auth::check(), andauth:apikeymiddleware
โ๏ธโ Compatibility
| Package Version | Laravel Versions |
|---|---|
| 1.x | 10.x, 11.x, 12.x |
๐ฆ Installation
composer require mcgo/laravel-barekey
Then run the migration:
php artisan migrate
โ๏ธ Setup
Register the guard in your config/auth.php. You can provide your custom Abilities Enum, see packages DefaultAbilities
as example.
'guards' => [ 'barekey' => [ 'driver' => 'apikey', 'provider' => null, // 'abilities' => YourAbilitiesEnum::class ], ],
Barekey automatically registers its guard in your AuthServiceProvider
via Auth::viaRequest('barekey', ...).
๐ Keys
To generate new keys:
php artisan barekey:make "My Service api key" --abilities=invoices:read,reports:read
Output example:
API Key generated, please use it as the following header:
Authorization: Bearer 593acec5-d9c2-43dd-9155-d93bad8c49e4:CJalcoa3ukYpkHa2ZfTWnRi0s4q8JPslSiqKbWXkls1suHMkJ8Ya6ggOKEBoEFje
Or as custom header:
X-Barekey-Token: 593acec5-d9c2-43dd-9155-d93bad8c49e4:CJalcoa3ukYpkHa2ZfTWnRi0s4q8JPslSiqKbWXkls1suHMkJ8Ya6ggOKEBoEFje
๐ Usage
Protect routes using the built-in middleware:
Route::middleware('auth:barekey')->group(function () { Route::get('/status', fn() => ['ok' => true]); });
You can also layer can: for ability-based checks:
Route::middleware(['auth:barekey', 'can:invoices:read']) ->get('/invoices', [InvoiceController::class, 'index']);
Inside your controller, you can access the authenticated key:
$key = request()->user(); // GenericUser with ->id, ->name, ->abilities
๐ง Abilities & Gates
Define abilities as strings or Enums โ both work:
Gate::before(function ($user, string $ability) { $abilities = (array) $user->abilities; return in_array('*', $abilities, true) || in_array($ability, $abilities, true) || str($abilities)->contains(fn($a) => str($ability)->isMatch($a)); });
Or use the included Enum helper:
use App\Enums\Ability; Gate::before(fn($user, $ability) => Ability::granted($user->abilities, $ability));
๐งฎ Example Enum
namespace App\Enums; use McGo\Barekey\Contracts\AbilitiesEnumContract; enum Ability: string implements AbilitiesEnumContract { case InvoicesRead = 'invoices:read'; case InvoicesWrite = 'invoices:write'; case ReportsRead = 'reports:read'; case Admin = 'admin'; // Implement the needed methods. }
๐งผ Commands
| Command | Description |
|---|---|
php artisan barekey:make |
Create a new API key |
๐ Security Notes
- Always use HTTPS
- Never expose API keys in frontend code
- Rotate keys regularly
- Use
revoked_at+expires_atto enforce lifecycle policies
๐งช Testing
php artisan test
Example:
it('authenticates with valid API key', function () { $key = ApiKey::factory()->create([...]); $response = $this->withHeaders([ 'Authorization' => "Bearer {$key->plain}", ])->getJson('/api/status'); $response->assertOk()->assertJson(['ok' => true]); });
๐ Roadmap
- Implement Commands to list and revoke key
- Implement rate limiting per key
- Add some events for created, revoked, used key and a rate limit that had hit
๐งก Credits
- Inspired by Laravel Sanctum,
stripped to the essentials for user-free, machine-to-machine auth. - Crafted by McGo
๐ชช License
MIT ยฉ Mirko Haaser