PHP & Slim token authentication API

Rest API authentication & security is crucial for most applications handling sensible information and user-specific data.

In this post we’ll discuss just one, token based authentication with PHP and the Slim micro framework (the logic can be applied to any routes framework or even if you have your own implementation).

First of all, if you still don’t know Slim, check it out, you wont regret it:

  • PHP Knowledge
  • Slim basic knowledge
  • REST understanding

Ok, so lets assume that you have a login page that will send the username and password to your API endpoint and it should return a token that the user will pass back on successive secured calls.


untitled (1) copy

Our login endpoint can be  which will receive the username and password, will verify against our DB and if everything is correct and then return something a JSON with the user information and token.

A good thing you can do on your DB is to set an “expiration” date to the token, this way you can verify if the user was inactive for a certain amount of time and the token gets expired, it just improves security.

Screen Shot 2015-04-02 at 1.46.08 PM


This is what your PHP login function could look like:

And this can be your return JSON:

Once we have sent our credentials to the API and everything is correct, the front end should get this JSON and you can somehow store the token (cookies, local storage, etc) that will be used on future calls to the API that do need authentication.

After we’ve saved our precious token, we can use it on secured endpoint by simply adding the token to our request header. Let’s just use jQuery as an example:

Check out the headers  parameter is being passed an object Authorization  that it’s value is the token that we received from the API in the first place. This header parameter will help us pass the token in a secure way.

Now our endpoint  will receive a string in the request body (the skills and nickname values) and the Authorization in the header.

To be able to get this header on every call to our API, we can create a Middleware in Slim that will handle this for us.

The purpose of middleware is to inspect, analyze, or modify the application environment, request, and response before and/or after the Slim application is invoked. It is easy for each middleware to obtain references to the primary Slim application, its environment, its request, and its response

A very simple implementation of a Slim Middleware could be the following

This middleware implements a public call()  method that is executed on every call to our API. In our middleware this method simply retrieves the header Authorization  and checks if the token is valid. If the token is valid it returns an instance of the user from the DB and makes it available through the Slim $app, so that way we can use the user object in our controller and we know who is the logged in user. Then we just update the token expiration and then  call()  the next inner middleware. If the token is not valid, we deny_access().

If you require any specific initialization you can use the constructor of the class.

There is one thing that you need to pay attention, in this example, the middleware will be executed for every API call, so when you call the /login endpoint, you will not be able to continue because you will not have any Authorization header yet, so for the sake of simplicity I did not included any url filtering in the example but you can implement this  on your own.

Once we have our middleware ready, we need to add it so Slim knows about it, we do it this way:

We first require our middleware and then we use the  $app->add()  method to add it to the Slim execution stack.

Now we can then just create our controller that will handle the routes for the user.The class can look something like this:

The code is pretty much self explanatory, we have two endpoints, one for the login and one for the update.

There several benefits in using this kind of authencation over the typical username+password, lets check some:

  • Speed – No need to encode/decode passwords on every API call
  • Independency – You can use this logic on mobile apps, web apps, etc. No need for sessions on the server
  • Entropy – Token hashes are a very good way to keep your system safe behind a set of characters

To sum up, this is a very reliable method to secure your information even if you are using your private API or if you are giving access to the public. The idea of this post is not to teach how to do it, but to give an idea on how it can be done, the rest is up to you.