Naturaily logo with transparent background

API authentication using Devise and Doorkeeper (minimal setup)

Have you ever tried to setup Devise and Doorkeeper in the simplest possible way, without oauth applications etc? Yeah, preparing Rails API authentication can be more flawless than you think. In this article, I’ll show you in a few easy steps the setup you searched for.

Stone temple interior with ornate columns and a small, lit central altar. The area is dimly lit, highlighting the intricate carvings.

Have you ever tried to setup Devise and Doorkeeper in the simplest possible way, without oauth applications etc? Here it is! In this article, I'll show you in a few easy steps that setup you searched for!

Let’s start by creating new, simple Rails application (or clone this one https://github.com/Naturaily/devise-doorkeeper).

  1. rails new myapp

  2. cd myapp

  3. rails g scaffold items name:string description:text

  4. rake db:migrate

  5. add root to: 'items#index' to config/routes.rb

Now we have a simple app with Items CRUD. Let’s add some code to handle Users.

  1. add gem 'devise' to Gemfile and run bundle install

  2. rails g devise:install

  3. rails g devise User

  4. rake db:migrate

  5. add before_action :authenticate_user! to items_controller

OK, only logged in users can CRUD items now. Off to the most exciting part. We want the very same feature on the API, because mobile app is being created. We want the Items CRUD available and we will authenticate every action using Doorkeeper for this, because it’s the easiest thing you can do.

Let’s install Doorkeeper.

  1. add gem 'doorkeeper' to Gemfile and run bundle install

  2. rails g doorkeeper:install

  3. rails g doorkeeper:migration

Now edit that new migration, it should look like this:

tsx

We removed oauth_applications and oauth_access_grants tables (we simply don’t need them). We need to remove associated foreing keys and indexes too. I also removed previous_refresh_token field from oauth_access_tokens table (please read the comment generated by Doorkeeper). And there is a little hack too. We need to change t.references :application, null: false to t.integer :application_id Without that our example won’t work!

Now we can run migrations

tsx

We need to mount doorkeeper in our router. It can be easily done by use_doorkeeper method. But we should remember that we need nothing but tokens! So our code in config/routes.rb can looks like the code below:

tsx

Now let’s integrate Doorkeeper with Devise. First, we need a method to find user by email and password. Let’s edit app/models/user.rb.

tsx

Next we configure Doorkeeper in config/initializers/doorkeeper.rb to use this method.

tsx

Don’t forget to let Doorkeeper access token with a password.

tsx

We also want refresh tokens, so we need to uncomment the line with use_refresh_token.

Next, we skip app authorization.

tsx

There we go! We can now log in and log out to our API. Try this (please remember to keep the server launched):

tsx

DON’T FORGET TO USE SSL on production and staging environments!

OK, it’s time to use our tokens! Let’s retrieve some Items from our API. How? We need two new controllers. Why two? Because we should have separate controllers for API, so we need ItemsController and base controller for API.

We need app/controllers/api/base_controller.rb, a really simple one.

tsx

And app/controller/api/items_controller.rb (exemplary implementation).

tsx

The most important part of code here is before_action :doorkeeper_authorize!. doorkeeper_authorize! is equaivalent of authenticate_user!. Without that every user could CRUD ours items.

The last one thing: add a new route

tsx

And that’s it! Let’s give it a try.

tsx

Let’s Create a Great Website Together

We'll shape your web platform the way you win it!

More posts in this category

  • August 11, 2025 • 19 min read

    How Much Does Website Development Cost and How Long Does It Take?

    Planning a website development project can feel overwhelming, especially when you're trying to balance quality, functionality, and budget constraints. Understanding the real costs and timelines will help you make smart decisions and avoid expensive surprises.

    READ MORE
  • Illustration of e-commerce: a desktop with analytics, smartphone with shopping app, stopwatch, hourglass, and a person with a cart.

    July 30, 2025 • 19 min read

    How Fast Should Your Checkout Process Be for Maximum Conversions?

    Imagine losing $2.5 million in annual revenue because of a single second. Sounds dramatic? If your online business generates $100 million yearly, a mere one-second delay in your checkout process could cost you exactly that much. This is neuroscience, backed by decades of research into how the human brain processes digital experiences.

    READ MORE
  • Illustration of people analyzing data on a laptop, modern website optimization

    July 07, 2025 • 18 min read

    Modern Website Optimization for Business Growth

    Countless businesses are leaving money on the table with websites that look pretty but don't perform. If you're wondering whether your website is actually driving growth or just taking up server space, you're not alone.

    READ MORE