This package is abandoned and no longer maintained. No replacement package was suggested.

Build simple, secure web applications with Stormpath and Laravel!

Installs: 240

Dependents: 0

Suggesters: 0

Security: 0

Stars: 10

Watchers: 16

Forks: 2


0.1.8 2016-12-21 19:01 UTC


Latest Stable Version Latest Unstable Version License Chat Chat

Getting Started

Follow these steps to add Stormpath user authentication to your Lumen app.

  1. Download Your Key File

Download your key file from the Stormpath Console.

  1. Store Your Key As Environment Variables

Open your key file and grab the API Key ID and API Key Secret, then add this to your .env file in the root of your project:

You may need to create a .env file if this is a fresh install of lumen.

  1. Get Your Stormpath Application HREF

Login to the Stormpath Console and grab the HREF (called REST URL in the UI) of your Application. It should look something like this:

  1. Store Your Stormpath App HREF In the .env file
  1. Install The Package

Open your composer.json file and add the following to your require block:

"stormpath/lumen": "^0.1"
  1. Include It In Your App

    Open you bootstrap/app.php file and add the following to your providers section

  1. Configure It

To modify the configuration of the package, you will need to publish the config file. Run the following in your terminal:

$ php artisan stormpath:config

This will create a stormpath.yaml file in the root of your project with all the options you are able to modify. By default, Login, Logout, OAuth, and Register routes will be enabled. Other routes will be enabled based on your directory settings.

  1. Login

Working with an API, we suggest that you work with OAuth tokens. We have created a route for your, /oauth/tokens where you can do client_credentials, password, or refresh grant types.

  • Client Credentials

In this workflow, an api key and secret is provisioned for a stormpath account. These credentials can be exchanged for an access token by making a POST request to /oauth/token on the web application. The request must look like this:

POST /oauth/token
Authorization: Basic <base64UrlEncoded(apiKeyId:apiKeySecret)>

  • Password Grant

In this workflow, an account can post their login (username or email) and password to the ``/oauth/token` endpoint, with the following body data:

POST /oauth/token

  • Refresh Grant

The refresh grant type is required for clients using the password grant type to refresh their access_token. Thus, it's automatically enabled alongside the password grant type.

An account can post their refresh_token with the following body data:

POST /oauth/token
refresh_token=<refresh token>

The product guide for token management:

  1. Register

    To get the model for the registration form, make a GET request to /register. This will return a JSON representation of the form along with the available Account Stores.

      "form": {
        "fields": [
            "enabled": true,
            "label": "First Name",
            "placeholder": "First Name",
            "required": true,
            "type": "text"
            "enabled": true,
            "label": "Last Name",
            "placeholder": "Last Name",
            "required": true,
            "type": "text"
      "accountStores": [
          "href": "",
          "name": "Test Directory",
          "provider": {
            "href": "",
            "providerId": "stormpath"

    When you want to register a new Account, take the user data from the form model and put into the body of a POST request to the /register endpoint.

  2. That's It!

You just added user authentication to your app with Stormpath.


If you are having issues with this package, please feel free to submit an issue on this github repository. If it is an issue you are having that needs a little more private attention, please feel free to contact us at or visit our support center.


We welcome anyone to make contributions to this project. Just fork the develop branch of this repository, make your changes, then issue a pull request on the develop branch.

Any pull request you make will need to have associated tests with them. If a test is not provided, the pull request will be closed automatically. Also, any pull requests made to a branch other than develop will be closed and a new submission will need to be made to the develop branch.

We regularly maintain this repository, and are quick to review pull requests and accept changes!


Copyright © 2013-2016 Stormpath, Inc. and contributors.

This project is open-source via the Apache 2.0 License.