API authentication using Devise and Doorkeeper (minimal setup)
Have you ever tried to setup Devise and Doorkeeper in the simplest possible way, without oauth applications etc? Yeah, preparing Rails API authentication can be more flawless than you think. In this article, I’ll show you in a few easy steps the setup you searched for.

Have you ever tried to setup Devise and Doorkeeper in the simplest possible way, without oauth applications etc? Here it is! In this article, I'll show you in a few easy steps that setup you searched for!
Let’s start by creating new, simple Rails application (or clone this one https://github.com/Naturaily/devise-doorkeeper).
rails new myapp
cd myapp
rails g scaffold items name:string description:text
rake db:migrate
add
root to: 'items#index'
toconfig/routes.rb
Now we have a simple app with Items CRUD. Let’s add some code to handle Users.
add
gem 'devise'
to Gemfile and runbundle install
rails g devise:install
rails g devise User
rake db:migrate
add before_action :authenticate_user!
toitems_controller
OK, only logged in users can CRUD items now. Off to the most exciting part. We want the very same feature on the API, because mobile app is being created. We want the Items CRUD available and we will authenticate every action using Doorkeeper for this, because it’s the easiest thing you can do.
Let’s install Doorkeeper.
add
gem 'doorkeeper'
to Gemfile and runbundle install
rails g doorkeeper:install
rails g doorkeeper:migration
Now edit that new migration, it should look like this:
tsx
We removed oauth_applications
and oauth_access_grants
tables (we simply don’t need them). We need to remove associated foreing keys and indexes too. I also removed previous_refresh_token field from oauth_access_tokens
table (please read the comment generated by Doorkeeper). And there is a little hack too. We need to change t.references :application, null: false
to t.integer :application_id
Without that our example won’t work!
Now we can run migrations
tsx
We need to mount doorkeeper in our router. It can be easily done by use_doorkeeper
method. But we should remember that we need nothing but tokens! So our code in config/routes.rb
can looks like the code below:
tsx
Now let’s integrate Doorkeeper with Devise. First, we need a method to find user by email and password. Let’s edit app/models/user.rb
.
tsx
Next we configure Doorkeeper in config/initializers/doorkeeper.rb
to use this method.
tsx
Don’t forget to let Doorkeeper access token with a password.
tsx
We also want refresh tokens, so we need to uncomment the line with use_refresh_token
.
Next, we skip app authorization.
tsx
There we go! We can now log in and log out to our API. Try this (please remember to keep the server launched):
tsx
DON’T FORGET TO USE SSL on production and staging environments!
OK, it’s time to use our tokens! Let’s retrieve some Items from our API. How? We need two new controllers. Why two? Because we should have separate controllers for API, so we need ItemsController and base controller for API.
We need app/controllers/api/base_controller.rb
, a really simple one.
tsx
And app/controller/api/items_controller.rb
(exemplary implementation).
tsx
The most important part of code here is before_action :doorkeeper_authorize!
. doorkeeper_authorize!
is equaivalent of authenticate_user!
. Without that every user could CRUD ours items.
The last one thing: add a new route
tsx
And that’s it! Let’s give it a try.
tsx
It works! Yay!
Is that all? Definitely no! We still don’t have registration via API. But there’s no need to describe it here, someone else has done that already. Please check this post.
Let’s Create a Great Website Together
We'll shape your web platform the way you win it!
More posts in this category
February 05, 2025 • 10 min read
READ MORELearn more about api first cmsAPI-first CMS: What Options You Have (Web Dev Agency's Take)
According to the 2024 State of the API Report by Postman, 74% of organizations are adopting API-first strategies. This statistic isn’t just impressive—it signals a major shift in how businesses operate. While API-first approaches have long been a staple in software development, they're now reshaping content management as well. More and more companies are realizing that traditional CMS platforms can't keep up with the demand for flexibility, speed, and seamless integrations.
January 23, 2025 • 15 min read
READ MORELearn more about best cms for saas top cloud based solutionsBest CMS for SaaS: Top Cloud-Based Solutions
Choosing the right Content Management System (CMS) is a critical decision for your SaaS business. Your unique needs require solutions that are not only flexible, scalable, and user-friendly but also tailored to meet the demands of a fast-paced, customer-focused industry. A CMS should simplify your workflows and help you deliver personalized, high-quality digital experiences.
December 12, 2024 • 10 min read
READ MORELearn more about headless cms for vueWe Picked the Best (Headless) CMS for Vue
Picture a digital experience where content effortlessly flows across platforms, development is agile, and performance is unmatched. By combining the power of Vue.js, a progressive JavaScript framework, with a modern headless CMS, you can achieve all this and more.