PHPackages vzool/api-hmac-guard - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. vzool/api-hmac-guard ActiveLibrary[HTTP & Networking](/categories/http) vzool/api-hmac-guard ==================== A simple and secure way of authenticating your APIs with API HMAC keys using Laravel v4.2.10(8y ago)1581PHPPHP >=5.6.4 Since Jun 15Pushed 8y ago1 watchersCompare [ Source](https://github.com/vzool/api-hmac-guard)[ Packagist](https://packagist.org/packages/vzool/api-hmac-guard)[ Docs](https://github.com/vzool/api-hmac-guard)[ RSS](/packages/vzool-api-hmac-guard/feed)WikiDiscussions master Synced 3d ago READMEChangelogDependencies (4)Versions (45)Used By (0) ApiHmacGuard (Impersonate Protection Algorithm) =============================================== [](#apihmacguard-impersonate-protection-algorithm) [![Latest Stable Version](https://camo.githubusercontent.com/db5c5ee863ee852cf585cea1e3ca6900bd0bdaa8c0d790f5a0e83088f5a69aee/68747470733a2f2f706f7365722e707567782e6f72672f767a6f6f6c2f6170692d686d61632d67756172642f762f737461626c65)](https://packagist.org/packages/vzool/api-hmac-guard) [![Total Downloads](https://camo.githubusercontent.com/a2a0384cc6e9f24ee8b92e905943929900a7d041c1df42fc2f8126457f053586/68747470733a2f2f706f7365722e707567782e6f72672f767a6f6f6c2f6170692d686d61632d67756172642f646f776e6c6f616473)](https://packagist.org/packages/vzool/api-hmac-guard) [![Join the chat at https://gitter.im/chrisbjr/api-guard](https://camo.githubusercontent.com/abe08b740a4156153736f791393ec4da6619c4be73212e75769f52edacc0e2b5/68747470733a2f2f6261646765732e6769747465722e696d2f4a6f696e253230436861742e737667)](https://gitter.im/chrisbjr/api-guard?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Impersonate Protection Algorithm](https://raw.githubusercontent.com/vzool/api-hmac-guard/master/analysis/api-hmac-guard.jpeg)](https://raw.githubusercontent.com/vzool/api-hmac-guard/master/analysis/api-hmac-guard.jpeg) A simple way of authenticating your APIs with API HMAC keys using Laravel. This package uses the following libraries: - philsturgeon's [Fractal](https://github.com/thephpleague/fractal) - maximebeaudoin's [api-response](https://github.com/ellipsesynergie/api-response) Laravel 5.3, 5.4 and 5.5 is finally supported! ---------------------------------------------- [](#laravel-53-54-and-55-is-finally-supported) \*\*Laravel 5.3.x onwards: `~4.*` \*\*Laravel 5.1.x to 5.2.x: [`~3.*`](https://github.com/vzool/api-hmac-guard/blob/3.1/README.md) \*\*Laravel 5.1.x: `~2.*` \*\*Laravel 4.2.x: [`~1.*`](https://github.com/vzool/api-hmac-guard/tree/laravel4) (Recently updated version for Laravel 4. Please note that there are namespace changes here) \*\*Laravel 4.2.x: [`0.*`](https://github.com/vzool/api-hmac-guard/tree/v0.7) (The version that most of you are using) Fork overview points: --------------------- [](#fork-overview-points) 1- API tokens should never be saved in the database, which help us secure users token and protect them against impersonate user account by using tokens that leaked from database if breach take place. 2- Database will save a `public_key` which is an endpoint to access key pairs record, this key should be unique and indexed. 3- Database will save a `private_key` which will be kept private at server side. 4- Token which is a `shared_key` will be generated every time when the request happen. 5- Token will be generated on the fly by Hmac and using Application Key `config('app.key')` as server private key with `private_key` which considered a client private key on server side. 6- Default Hmac algo is `sha3-384`, there are many algo out [there](http://php.net/manual/en/function.hash-hmac-algos.php). 7- If you change Hmac algo, the key length will be different which depends on algo itself. 8- The `Middleware` will expect two keys as headers which are: - `X-Auth-EndPoint`: this is a `public_key` - `X-Auth-Token`: this is a `shared_key` 9- If you don't like a default headers name, then you can update them from `apiguard.php` config file. 10- You should send these two keys `public_key` & `shared_key` to your clients and make them send it back to server in order to be identified. ### Quick Example [](#quick-example) ``` >>> $key = ApiKey::make($person); // or $user => Vzool\ApiHmacGuard\Models\ApiKey {#1256 public_key: "-15af2b946b069d-5mQykkuMmF8UDZIuZkG8AdFfB3udhYkGW-", apikeyable_id: 1, apikeyable_type: "App\Models\Person", last_ip_address: "127.0.0.1", last_used_at: Carbon\Carbon @1525856582 {#1263 date: 2018-05-09 12:03:02.723851 Asia/Riyadh (+03:00), }, private_key: "-17AKPqotjcQBjzmdktluKiR5qUbyyzqWov-15af2b946b0c4-", updated_at: "2018-05-09 12:03:02", created_at: "2018-05-09 12:03:02", id: 5, } >>> $key->clientKeys() => [ "endpoint" => "-15af2b946b069d-5mQykkuMmF8UDZIuZkG8AdFfB3udhYkGW-", "token" => "9f9de38c4405a747fc25dd146b2ee6a30e8ea627c7da26d5a616c4c2fcb9ec896b4020febcb4971a65b97959c5d5625a", ] >>> >>> $key->publicKey() => "-15af2b946b069d-5mQykkuMmF8UDZIuZkG8AdFfB3udhYkGW-" >>> $key->sharedKey() => "9f9de38c4405a747fc25dd146b2ee6a30e8ea627c7da26d5a616c4c2fcb9ec896b4020febcb4971a65b97959c5d5625a" >>> $key->privateKey() => null // private keys are always protected and writable for one time ``` Quick start ----------- [](#quick-start) ### Installation for Laravel 5.3 to 5.4 [](#installation-for-laravel-53-to-54) Run `composer require vzool/api-hmac-guard 4.*` In your `config/app.php` add `Vzool\ApiHmacGuard\Providers\ApiGuardServiceProvider` to the end of the `providers` array ``` 'providers' => array( ... Vzool\ApiHmacGuard\Providers\ApiGuardServiceProvider::class, ), ``` Now publish the migration and configuration files for api-guard: ``` $ php artisan vendor:publish --provider="Vzool\ApiHmacGuard\Providers\ApiGuardServiceProvider" ``` Then run the migration: ``` $ php artisan migrate ``` It will setup `api_keys` table. ### Generating your first API key [](#generating-your-first-api-key) Once you're done with the required setup, you can now generate your first API key. Run the following command to generate an API key: `php artisan api-key:generate` Generally, the `ApiKey` object is a polymorphic object meaning this can belong to more than one other model. To generate an API key that is linked to another object (a "user", for example), you can do the following: +`php artisan api-key:generate --id=1 --type="App\User"` To specify that a model can have API keys, you can attach the `Apikeyable` trait to the model: ``` use Vzool\ApiHmacGuard\Models\Mixins\Apikeyable; class User extends Model { use Apikeyable; ... } ``` This will attach the following methods to the model: ``` // Get the API keys of the object $user->apiKeys(); // Create an API key for the object $user->createApiKey(); ``` To generate an API key from within your application, you can use the following method in the `ApiKey` model: ``` $apiKey = Vzool\ApiHmacGuard\Models\ApiKey::make() // Attach a model to the API key $apiKey = Vzool\ApiHmacGuard\Models\ApiKey::make($model) ``` To access client keys: ``` $apiKey->clientKeys() ``` Usage ----- [](#usage) You can start using ApiGuard by simply attaching the `auth.apikey` middleware to your API route: ``` Route::middleware(['auth.apikey'])->get('/test', function (Request $request) { return $request->user(); // Returns the associated model to the API key }); ``` This effectively secures your API with an API key which needs to specified in the `X-Authorization` header. This can be configured in `config/apiguard.php`. Here is a sample cURL command to demonstrate: ``` curl -X GET \ http://apiguard.dev/api/test \ -H 'x-authorization: api-key-here' ``` You might also want to attach this middleware to your `api` middleware group in your `app/Http/Kernel.php` to take advantage of other Laravel features such as throttling. ``` /** * The application's route middleware groups. * * @var array */ protected $middlewareGroups = [ ... 'api' => [ 'throttle:60,1', 'bindings', 'auth.apikey', ], ]; ``` If you noticed in the basic example, you can also access the attached model to the API key by calling `$request->user()`. We are attaching the related model in this method because in most use cases, this is actually the user. ### Unauthorized Requests [](#unauthorized-requests) Unauthorized requests will get a `401` status response with the following JSON: ``` { "error": { "code": "401", "http_code": "GEN-UNAUTHORIZED", "message": "Unauthorized." } } ``` ### ApiGuardController [](#apiguardcontroller) The `ApiGuardController` takes advantage of [Fractal](http://fractal.thephpleague.com/) and [api-response](https://github.com/ellipsesynergie/api-response) libraries. This enables us to easily create APIs with models and use transformers to give a standardized JSON response. Here is an example: Let's say you have the following model: ``` use Illuminate\Database\Eloquent\Model; class Book extends Model { protected $fillable = [ 'name', ]; } ``` You can make a basic controller which will return all books like this: ``` use Vzool\ApiHmacGuard\Http\Controllers\ApiGuardController; use App\Transformers\BookTransformer; use App\Book; class BooksController extends ApiGuardController { public function all() { $books = Book::all(); return $this->response->withCollection($books, new BookTransformer); } } ``` Now, you'll need to make the transformer for your Book object. Transformers help with defining and manipulating the variables you want to return to your JSON response. ``` use League\Fractal\TransformerAbstract; use App\Book; class BookTransformer extends TransformerAbstract { public function transform(Book $book) { return [ 'id' => $book->id, 'name' => $book->name, 'created_at' => $book->created_at, 'updated_at' => $book->updated_at, ]; } } ``` Once you have this accessible in your routes, you will get the following response from the controller: ``` { "data": { "id": 1, "title": "The Great Adventures of Chris", "created_at": { "date": "2017-05-25 18:54:18", "timezone_type": 3, "timezone": "UTC" }, "updated_at": { "date": "2017-05-25 18:54:18", "timezone_type": 3, "timezone": "UTC" } } } ``` More examples can be found on the Github page: . To learn more about transformers, visit the PHP League's documentation on Fractal: [Fractal](http://fractal.thephpleague.com/) ### API Validation Responses [](#api-validation-responses) ApiGuard comes with a request class that can handle validation of requests for you and throw a standard response. You can create a `Request` class as you usually do but in order to get a standard JSON response you'll have to extend the `ApiGuardFormRequest` class. ``` use Vzool\ApiHmacGuard\Http\Requests\ApiGuardFormRequest; class BookStoreRequest extends ApiGuardFormRequest { public function authorize() { return true; } public function rules() { return [ 'name' => 'required', ]; } } ``` Now you can use this in your controller as you normally do with Laravel: ``` use Vzool\ApiHmacGuard\Http\Controllers\ApiGuardController; use App\Transformers\BookTransformer; use App\Book; class BooksController extends ApiGuardController { public function store(BookStoreRequest $request) { // Request should already be validated $book = Book::create($request->all()) return $this->response->withItem($book, new BookTransformer); } } ``` If the request failed to pass the validation rules, it will return with a response like the following: ``` { "error": { "code": "GEN-UNPROCESSABLE", "http_code": 422, "message": { "name": [ "The name field is required." ] } } } ``` ### Health Score 33 — LowBetter than 75% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity11 Limited adoption so far Community20 Small or concentrated contributor base Maturity71 Established project with proven stability Bus Factor1 Top contributor holds 55.8% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~34 days Recently: every ~0 days Total 43 Last Release 2927d ago Major Versions v1.1.3 → v2.2.22015-06-16 v2.3.0 → v3.0.02016-02-01 1.1.x-dev → v3.1.22016-10-26 v3.1.2 → v4.0.02017-05-27 3.1.x-dev → v4.1.02017-09-26 PHP version history (3 changes)v0.1PHP >=5.4.0 v3.1.0PHP >=5.5.9 v4.0.0PHP >=5.6.4 ### Community Maintainers ![](https://www.gravatar.com/avatar/a9e5287358c59c776ad8b32d5ff9669f23320d091ff47e466cbb72e46c608b6e?d=identicon)[vzool](/maintainers/vzool) --- Top Contributors [![chrisbjr](https://avatars.githubusercontent.com/u/571279?v=4)](https://github.com/chrisbjr "chrisbjr (121 commits)")[![awkwardusername](https://avatars.githubusercontent.com/u/2331465?v=4)](https://github.com/awkwardusername "awkwardusername (41 commits)")[![vzool](https://avatars.githubusercontent.com/u/4952736?v=4)](https://github.com/vzool "vzool (31 commits)")[![Schnoop](https://avatars.githubusercontent.com/u/1263407?v=4)](https://github.com/Schnoop "Schnoop (3 commits)")[![rchoffardet](https://avatars.githubusercontent.com/u/5098668?v=4)](https://github.com/rchoffardet "rchoffardet (3 commits)")[![gholol](https://avatars.githubusercontent.com/u/7087411?v=4)](https://github.com/gholol "gholol (2 commits)")[![jotafurtado](https://avatars.githubusercontent.com/u/748350?v=4)](https://github.com/jotafurtado "jotafurtado (2 commits)")[![alexgignac](https://avatars.githubusercontent.com/u/1719308?v=4)](https://github.com/alexgignac "alexgignac (1 commits)")[![jeroenlammerts](https://avatars.githubusercontent.com/u/4282711?v=4)](https://github.com/jeroenlammerts "jeroenlammerts (1 commits)")[![JoeOBrien](https://avatars.githubusercontent.com/u/5874388?v=4)](https://github.com/JoeOBrien "JoeOBrien (1 commits)")[![jwdeitch](https://avatars.githubusercontent.com/u/7282720?v=4)](https://github.com/jwdeitch "jwdeitch (1 commits)")[![snipe](https://avatars.githubusercontent.com/u/197404?v=4)](https://github.com/snipe "snipe (1 commits)")[![vikkio88](https://avatars.githubusercontent.com/u/248805?v=4)](https://github.com/vikkio88 "vikkio88 (1 commits)")[![vinicius73](https://avatars.githubusercontent.com/u/1561347?v=4)](https://github.com/vinicius73 "vinicius73 (1 commits)")[![gitter-badger](https://avatars.githubusercontent.com/u/8518239?v=4)](https://github.com/gitter-badger "gitter-badger (1 commits)")[![andrewklau](https://avatars.githubusercontent.com/u/2239920?v=4)](https://github.com/andrewklau "andrewklau (1 commits)")[![awalko](https://avatars.githubusercontent.com/u/8527055?v=4)](https://github.com/awalko "awalko (1 commits)")[![cernicc](https://avatars.githubusercontent.com/u/6370441?v=4)](https://github.com/cernicc "cernicc (1 commits)")[![clrke](https://avatars.githubusercontent.com/u/7193634?v=4)](https://github.com/clrke "clrke (1 commits)")[![danhunsaker](https://avatars.githubusercontent.com/u/1534396?v=4)](https://github.com/danhunsaker "danhunsaker (1 commits)") --- Tags apiapi-keyshmacimpersonatejsonlaravelprivatekeypublickeyrestsharedkeytokentoken-based-authenticationjsonapilaravelrestPrivate Keypublic keyhmacapi keysapi authenticationshared key ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/vzool-api-hmac-guard/health.svg) ``` [![Health](https://phpackages.com/badges/vzool-api-hmac-guard/health.svg)](https://phpackages.com/packages/vzool-api-hmac-guard) ``` ### Alternatives [chrisbjr/api-guard A simple way of authenticating your APIs with API keys using Laravel 698375.6k5](/packages/chrisbjr-api-guard)[givebutter/laravel-keyable Add API keys to your Laravel models 187144.5k2](/packages/givebutter-laravel-keyable)[api-platform/laravel API Platform support for Laravel 59126.4k6](/packages/api-platform-laravel)[rap2hpoutre/jacky Opinionated REST JSON HTTP API client for laravel 174.4k](/packages/rap2hpoutre-jacky) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)