Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (2023)

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (1) By Oluyemi Olususi 2020-11-19

    Twitter Facebook LinkedIn

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (2)

    The growing use and applications of cloud services necessitates a more efficient architectural style than the Simple Object Access Protocol (SOAP). REST (REpresentational State Transfer) allows for a light-weight, stateless communication between clients and the Application Programming Interface (API). Because the communication is stateless, access control for Restful APIs is based on tokens which carry enough information to determine whether or not the client is authorized to perform the requested action on the resource.

    In this tutorial, I will use CodeIgniter to build a RESTful API. CodeIgniter is a powerful PHP framework with a very small footprint which allows developers to build full-scale web applications.


    A basic understanding of CodeIgniter will be helpful in this tutorial. However, I will provide explanations and links to official documentation throughout the tutorial. If you’re unclear on any concept, you can review the linked material before continuing with the tutorial.

    Additionally, you need to have the following installed on your system:

    • Composer. Composer will be used for dependency management in your CodeIgniter project
    • A local database instance. While MySQL will be used in this tutorial, you are free to select your preferred database service
    • Postman or a similar application to test our endpoints. You can also use cURL to test your endpoints

    What We’ll Build

    To demonstrate how to build a secure CodeIgniter API, we’ll build an API that will be used to manage the client database for a company. This database contains the following data on each client:

    • Name
    • Email
    • Amount paid to retain the company’s services (Retainer fee)

    The API built at the end of this tutorial will have the following functionalities:

    1. Register a new user
    2. Authenticate an existing user
    3. Add a new client
    4. Edit the details of an existing client
    5. View all clients
    6. View a single client by ID
    7. Delete a single client by ID

    Features 3 to 7 will be restricted to authenticated users.

    Getting Started

    Create a new CodeIgniter project using Composer.

    composer create-project codeigniter4/appstarter ci-secure-api

    This will create a new CodeIgniter project within a folder named ci-secure-api. Once the installation is completed, move into the newly created project folder from the terminal and run the application on the local development server that comes installed with CodeIgniter. Use the following command to achieve that:

    // move into the project$ cd ci-secure-api// run the application$ php spark serve

    Navigate to http://localhost:8080/ from your browser to view the welcome page.

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (3)

    Environment Variables Preparation

    Now that CodeIgniter is installed and running, the next step is to provide environment variables that will be used by our application. Stop the application from running by pressing CTRL + C on the keyboard and proceed to make a copy of the .env file named .env using the command below:

    $ cp env .env

    CodeIgniter starts up in production mode by default. But for the sake of this tutorial, we will change it to development. To achieve that, uncomment the line shown below and set it to development:

    CI_ENVIRONMENT = development

    Next, create a database within your local environment and uncomment the following variables to update each values to set up a successful connection to the database:

    database.default.hostname = localhostdatabase.default.database = YOUR_DATABASEdatabase.default.username = YOUR_DATABASE_USERNAMEdatabase.default.password = YOUR_DATABASE_PASSWORDdatabase.default.DBDriver = MySQLi # this is the driver for a MySQL connection. There are also drivers available for postgres & SQLite3.

    Replace the YOUR_DATABASE, YOUR_DATABASE_USERNAME, and YOUR_DATABASE_PASSWORD placeholders with your own values.

    Migrations and seeders

    Now that we have created a database and set up a connection to it, we will create migrations for both the user and client table. Migration files are generally useful for creating a proper database structure. The migrations and seeders will be created using the CodeIgniter CLI tool.

    Issue the following command in terminal:

    $ php spark migrate:create

    The CLI will ask you to name the migration file after which it will create the migration file in the App/Database/Migrations directory. For this tutorial, you will create two migration files named:

    (Video) CRUD-1: RESTful API in codeigniter 3.x Install & setup security login auth and api key using POSTMAN

    • add_client
    • add_user

    The migration file name will be prefixed with a numeric sequence in the date format of YYYY-MM-DD-HHIISS. Please see the CodeIgniter documentation for a more detailed explanation.

    Next, update the content of the add_client migration file as follows:

    <?phpuse CodeIgniter\Database\Migration;class AddClient extends Migration{ public function up() { $this->forge->addField([ 'id' => [ 'type' => 'INT', 'constraint' => 5, 'unsigned' => true, 'auto_increment' => true, ], 'name' => [ 'type' => 'VARCHAR', 'constraint' => '100', 'null' => false ], 'email' => [ 'type' => 'VARCHAR', 'constraint' => '100', 'null' => false, 'unique' => true ], 'retainer_fee' => [ 'type' => 'INT', 'constraint' => 100, 'null' => false, 'unique' => true ], 'updated_at' => [ 'type' => 'datetime', 'null' => true, ], 'created_at datetime default current_timestamp', ]); $this->forge->addPrimaryKey('id'); $this->forge->createTable('client'); } public function down() { $this->forge->dropTable('client'); }}

    Here, we specified the fields and their corresponding data types for the Client table.

    Next, open the add_user migration file and replace its content with the following:

    <?phpuse CodeIgniter\Database\Migration;class AddUser extends Migration{ public function up() { $this->forge->addField([ 'id' => [ 'type' => 'INT', 'constraint' => 5, 'unsigned' => true, 'auto_increment' => true, ], 'name' => [ 'type' => 'VARCHAR', 'constraint' => '100', 'null' => false ], 'email' => [ 'type' => 'VARCHAR', 'constraint' => '100', 'null' => false, 'unique' => true ], 'password' => [ 'type' => 'VARCHAR', 'constraint' => '255', 'null' => false, 'unique' => true ], 'updated_at' => [ 'type' => 'datetime', 'null' => true, ], 'created_at datetime default current_timestamp', ]); $this->forge->addPrimaryKey('id'); $this->forge->createTable('user'); } public function down() { $this->forge->dropTable('user'); }}

    The content above will help create the user table and its fields. Now run your migrations using the command below:

     $ php spark migrate

    To make development easier, seed your database with some dummy client data. The fzaninotto faker bundle is a default dependency in the CodeIgniter skeleton and this can be used to add random clients to the database. Just as was done for the migration, the CodeIgniter CLI Tool will be used to create a seeder for clients. Run the following command:

     $ php spark make:seeder

    The CLI will ask for a name called the ClientSeeder. A ClientSeeder.php file will be created in the App/Database/Seeds directory. Open the file and replace its contents with the following:

    <?phpnamespace App\Database\Seeds;use CodeIgniter\Database\Seeder;use Faker\Factory;class ClientSeeder extends Seeder{ public function run() { for ($i = 0; $i < 10; $i++) { //to add 10 clients. Change limit as desired $this->db->table('client')->insert($this->generateClient()); } } private function generateClient(): array { $faker = Factory::create(); return [ 'name' => $faker->name(), 'email' => $faker->email, 'retainer_fee' => random_int(100000, 100000000) ]; }}

    Seed the database with dummy clients using the following command:

    $ php spark db:seed ClientSeeder

    At this point, the database should have a similar structure to the screenshot below:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (4)

    Entity Models

    For the API’s interaction with the database, CodeIgniter’s Model will be used. For this to work, two models will be created - one for the User and another for the Client.

    Open the App/Models directory and create the following files:

    • UserModel.php
    • ClientModel.php

    In UserModel.php, add the following:

    <?phpnamespace App\Models;use CodeIgniter\Model;use Exception;class UserModel extends Model{ protected $table = 'user'; protected $allowedFields = [ 'name', 'email', 'password', ]; protected $updatedField = 'updated_at'; protected $beforeInsert = ['beforeInsert']; protected $beforeUpdate = ['beforeUpdate']; protected function beforeInsert(array $data): array { return $this->getUpdatedDataWithHashedPassword($data); } protected function beforeUpdate(array $data): array { return $this->getUpdatedDataWithHashedPassword($data); } private function getUpdatedDataWithHashedPassword(array $data): array { if (isset($data['data']['password'])) { $plaintextPassword = $data['data']['password']; $data['data']['password'] = $this->hashPassword($plaintextPassword); } return $data; } private function hashPassword(string $plaintextPassword): string { return password_hash($plaintextPassword, PASSWORD_BCRYPT); } public function findUserByEmailAddress(string $emailAddress) { $user = $this ->asArray() ->where(['email' => $emailAddress]) ->first(); if (!$user) throw new Exception('User does not exist for specified email address'); return $user; }}

    The beforeInsert and beforeUpdate functions allow you to perform an operation on the User entity before saving it to the database. In this case, the user’s password is hashed before it is saved to the database.

    Add the following code to the ClientModel.php file:

    <?phpnamespace App\Models;use CodeIgniter\Model;use Exception;class ClientModel extends Model{ protected $table = 'client'; protected $allowedFields = [ 'name', 'email', 'retainer_fee' ]; protected $updatedField = 'updated_at'; public function findClientById($id) { $client = $this ->asArray() ->where(['id' => $id]) ->first(); if (!$client) throw new Exception('Could not find client for specified ID'); return $client; }}

    The $table field lets the Model know which database table it works with primarily. $allowedFields lets the Model know which columns in the table can be updated. The findClientById function provides a clean abstraction to retrieve a client from the database based on the id provided.

    (Video) Restfull api with JWT in Codeigniter Part #23 | Codeigniter 3 Tutorial in Hindi

    With the Models and database implemented, users can be added and authenticated. Authorized users can also interact with current clientele.

    JWT Implementation

    JSON Web Tokens will be used to authenticate users and prevent unauthorized users from viewing the list of clients. For this to work, the API provides a token when the user registers or logs in successfully. This token will be appended to the header of subsequent requests to ensure that the API can identify the user making a request. In this tutorial, the firebase/php-jwt bundle will be used to generate the tokens. Run the following to install it using composer:

    $ composer require firebase/php-jwt

    Once the installation is complete, add the following to your .env file:

    #JWT_SECRET_KEY key is the secret key used by the application to sign JWTS. Pick a stronger one for production.JWT_SECRET_KEY=kzUf4sxss4AeG5uHkNZAqT1Nyi1zVfpz #JWT_TIME_TO_LIVE indicates the validity period of a signed JWT (in milliseconds)JWT_TIME_TO_LIVE=3600

    Next, create a helper function to get the secret key in the Services class. Go to App/Config/Services.php and add the following:

    public static function getSecretKey(){ return getenv('JWT_SECRET_KEY');} 

    Create JWT Helper

    To help with the generation and verification of tokens, a Helper file will be created. This allows us to separate concerns in our application. In the App/Helpers directory create a file name jwt_helper.php. Your helper file should look like this:

    <?phpuse App\Models\UserModel;use Config\Services;use Firebase\JWT\JWT;function getJWTFromRequest($authenticationHeader): string{ if (is_null($authenticationHeader)) { //JWT is absent throw new Exception('Missing or invalid JWT in request'); } //JWT is sent from client in the format Bearer XXXXXXXXX return explode(' ', $authenticationHeader)[1];}function validateJWTFromRequest(string $encodedToken){ $key = Services::getSecretKey(); $decodedToken = JWT::decode($encodedToken, $key, ['HS256']); $userModel = new UserModel(); $userModel->findUserByEmailAddress($decodedToken->email);}function getSignedJWTForUser(string $email){ $issuedAtTime = time(); $tokenTimeToLive = getenv('JWT_TIME_TO_LIVE'); $tokenExpiration = $issuedAtTime + $tokenTimeToLive; $payload = [ 'email' => $email, 'iat' => $issuedAtTime, 'exp' => $tokenExpiration, ]; $jwt = JWT::encode($payload, Services::getSecretKey()); return $jwt;}

    The getJWTFromRequest function checks the Authorization header of the incoming request and returns the token value. If the header is missing, it throws an exception which in turn causes an HTTP_UNAUTHORIZED (401) response to be returned.

    The validateJWTFromRequest function takes the token obtained by the getJWTFromRequest function. It decodes this token to get the email that the key was generated for. It then tries to find a user with that email address in the database. If the user was not found, the User Model throws an exception which is caught and returned to the user as an HTTP_UNAUTHORIZED (401) response.

    The getSignedJWTForUser function is used to generate a token for an authenticated user. The encoded JWT contains the following details:

    • The email of the authenticated user. This is used in subsequent requests to validate the source of the request.
    • The time when the token was generated (iat).
    • The time when the token expires (exp). This is gotten by adding the. JWT_TIME_TO_LIVE value from our .env file to the current time.

    Create Authentication Filter

    In the App/Filters directory create a file named JWTAuthenticationFilter.php . This filter will allow the API check for the JWT before passing the request to the controller. If no JWT is provided or the provided JWT is expired, an HTTP_UNAUTHORIZED (401) response is returned by the API with an appropriate error message. Add the following to your file:

    <?phpnamespace App\Filters;use CodeIgniter\API\ResponseTrait;use CodeIgniter\Filters\FilterInterface;use CodeIgniter\HTTP\RequestInterface;use CodeIgniter\HTTP\ResponseInterface;use Config\Services;use Exception;class JWTAuthenticationFilter implements FilterInterface{ use ResponseTrait; public function before(RequestInterface $request, $arguments = null) { $authenticationHeader = $request->getServer('HTTP_AUTHORIZATION'); try { helper('jwt'); $encodedToken = getJWTFromRequest($authenticationHeader); validateJWTFromRequest($encodedToken); return $request; } catch (Exception $e) { return Services::response() ->setJSON( [ 'error' => $e->getMessage() ] ) ->setStatusCode(ResponseInterface::HTTP_UNAUTHORIZED); } } public function after(RequestInterface $request, ResponseInterface $response, $arguments = null) { }}

    As you can see, the JWT Helper is first loaded, then the getJWTFromRequest and validateJWTFromRequest functions are used to ensure that the request is from an authenticated user with a valid token.

    Register your JWTAuthentication filter and specify the route you want it to protect. This is done in the App/Config/Filters.php file. Update the $aliases and $filters array as follows:

    <?php namespace Config;use App\Filters\JWTAuthenticationFilter;use CodeIgniter\Config\BaseConfig;class Filters extends BaseConfig{ public $aliases = [ 'csrf' => CSRF::class, 'toolbar' => DebugToolbar::class, 'honeypot' => \CodeIgniter\Filters\Honeypot::class, 'auth' => JWTAuthenticationFilter::class // add this line ]; // global filters // method filters public $filters = [ 'auth' => [ 'before' => [ 'client/*', 'client' ], ] ];}

    NOTE: The Debug toolbar will be preloaded by default. There are known conflicts as the DebugToolbar is still under construction. To disable it, comment out the 'toolbar' item in the $globals array.

    By adding these, the before function in JWTAuthenticationFilter.php will be called anytime a request is sent to an endpoint starting with the client. This means that the controller will only receive/handle the request if a valid token is present in the request header.

    Even though we don’t have any controller, we can check to see that our application is working so far. Open Postman and make a GET request to http://localhost:8080/client. You should see something similar to the screenshot below:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (5)

    Next, open the App/Controllers/BaseController.php file and add the following function:

    public function getResponse(array $responseBody, int $code = ResponseInterface::HTTP_OK){ return $this ->response ->setStatusCode($code) ->setJSON($responseBody);}

    This function will be used by your controllers to return JSON responses to the client.

    NOTE: Don’t forget to import the ResponseInterface.

    (Video) CodeIgniter 4 Auth rest api with jwt in one video 🔥🔥🔥🔥

    use CodeIgniter\HTTP\ResponseInterface;

    BaseController extends the CodeIgniter Controller which provides helpers and other functions that make handling incoming requests easier. One of such functions is a validate function which uses CodeIgniter’s validation service to check a request against rules (and error messages where necessary) specified in our controller functions. This function works well with form requests (form-data using Postman). However this would be unable to validate raw JSON requests sent to our API. This is because the content of the JSON request is stored in the body field of the request while the content of the form-data request is stored in the post field of the request.

    To get around this, we’ll write a function that checks both fields in a request to get its content. Add the following to App/Controllers/BaseController.php:

    public function getRequestInput(IncomingRequest $request){ $input = $request->getPost(); if (empty($input)) { //convert request body to associative array $input = json_decode($request->getBody(), true); } return $input;}

    NOTE: Don’t forget to import the IncomingRequest class.

    use CodeIgniter\HTTP\IncomingRequest;

    Next, declare a function that runs the validation service against the $input from our previous function. This function is almost the same as the inbuilt validate function except that instead of running the check against the IncomingRequest, we run it against the input we captured from the getRequestInput function.

    public function validateRequest($input, array $rules, array $messages =[]){ $this->validator = Services::Validation()->setRules($rules); // If you replace the $rules array with the name of the group if (is_string($rules)) { $validation = config('Validation'); // If the rule wasn't found in the \Config\Validation, we // should throw an exception so the developer can find it. if (!isset($validation->$rules)) { throw ValidationException::forRuleNotFound($rules); } // If no error message is defined, use the error message in the Config\Validation file if (!$messages) { $errorName = $rules . '_errors'; $messages = $validation->$errorName ?? []; } $rules = $validation->$rules; } return $this->validator->setRules($rules, $messages)->run($input);}

    NOTE: Don’t forget to import the necessary classes.

    use CodeIgniter\Validation\Exceptions\ValidationException;use Config\Services;

    With this in place, let’s add the logic to register and authenticate users.

    Authentication Controller

    Next, create a file name Auth.php in the App/Controllers directory. Update the file as shown below:

    <?phpnamespace App\Controllers;use App\Models\UserModel;use CodeIgniter\HTTP\Response;use CodeIgniter\HTTP\ResponseInterface;use Exception;use ReflectionException;class Auth extends BaseController{ /** * Register a new user * @return Response * @throws ReflectionException */ public function register() { $rules = [ 'name' => 'required', 'email' => 'required|min_length[6]|max_length[50]|valid_email|is_unique[]', 'password' => 'required|min_length[8]|max_length[255]' ]; $input = $this->getRequestInput($this->request); if (!$this->validateRequest($input, $rules)) { return $this ->getResponse( $this->validator->getErrors(), ResponseInterface::HTTP_BAD_REQUEST ); } $userModel = new UserModel(); $userModel->save($input); return $this ->getJWTForUser( $input['email'], ResponseInterface::HTTP_CREATED ); } /** * Authenticate Existing User * @return Response */ public function login() { $rules = [ 'email' => 'required|min_length[6]|max_length[50]|valid_email', 'password' => 'required|min_length[8]|max_length[255]|validateUser[email, password]' ]; $errors = [ 'password' => [ 'validateUser' => 'Invalid login credentials provided' ] ];$input = $this->getRequestInput($this->request); if (!$this->validateRequest($input, $rules, $errors)) { return $this ->getResponse( $this->validator->getErrors(), ResponseInterface::HTTP_BAD_REQUEST ); } return $this->getJWTForUser($input['email']); } private function getJWTForUser( string $emailAddress, int $responseCode = ResponseInterface::HTTP_OK ) { try { $model = new UserModel(); $user = $model->findUserByEmailAddress($emailAddress); unset($user['password']); helper('jwt'); return $this ->getResponse( [ 'message' => 'User authenticated successfully', 'user' => $user, 'access_token' => getSignedJWTForUser($emailAddress) ] ); } catch (Exception $exception) { return $this ->getResponse( [ 'error' => $exception->getMessage(), ], $responseCode ); } }}


    To successfully register a new user the following fields are required:

    • A name.
    • An email address in a valid format that is not less than 8 characters and not more than 255 characters.
    • A password that is not less than 8 characters and not more than 255 characters.

    The incoming request is checked against the specified rules. Invalid requests are discarded with an HTTP_BAD_REQUEST code (400) and an error message. If the request is valid, the user data is saved and a token is returned along with the user’s saved details (excluding the password). The HTTP_CREATED (201) response lets the client know that a new resource has been created.

    Making a POST request to the register endpoint (http://localhost:8080/auth/register) with a valid name, email address and password will result in a similar response to the one shown below:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (6)


    Successful authentication requires the following:

    • An email address in a valid format that is not less than 8 characters and not more than 255 characters. Additionally the email address must correspond to that of a saved user.
    • A password is not less than 8 characters and not more than 255 characters. As with the email address, the hash of the provided password must match the stored password hash associated with the provided email address.

    However, doing the same for the login endpoint (http://localhost:8080/auth/login) would cause an Internal Server Error (HTTP Code 500). The reason for this is that we make use of a validateUser function in our validation rules which we have not created yet.

    User Validation

    Create a new directory called Validation in the app directory. Inside of the app/Validation folder, create a file named UserRules.php and add the following code to the file:

    <?phpnamespace App\Validation;use App\Models\UserModel;use Exception;class UserRules{ public function validateUser(string $str, string $fields, array $data): bool { try { $model = new UserModel(); $user = $model->findUserByEmailAddress($data['email']); return password_verify($data['password'], $user['password']); } catch (Exception $e) { return false; } }}

    Next, open the App/Config/Validation.php file and modify the $ruleSets array to include your UserRules. $ruleSets should look like this:

    public $ruleSets = [ \CodeIgniter\Validation\Rules::class, \CodeIgniter\Validation\FormatRules::class, \CodeIgniter\Validation\FileRules::class, \CodeIgniter\Validation\CreditCardRules::class, \App\Validation\UserRules::class,];

    With the custom validation rules in place, the authentication request works as expected. Test this sending a POST HTTP request to thehttp://localhost:8080/auth/login endpoint with the details of the user-created earlier:

    (Video) 2 - How to add JWT Token to CodeIgniter 3 Application step by step

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (7)

    Create Client Controller

    For the client controller, we will specify the routes in the app/Config/Routes.php file. Open the file and add the following routes:

    $routes->get('client', 'Client::index');$routes->post('client', 'Client::store');$routes->get('client/(:num)', 'Client::show/$1');$routes->post('client/(:num)', 'Client::update/$1');$routes->delete('client/(:num)', 'Client::destroy/$1');

    By doing this, your API is able to handle requests with the same endpoint but different HTTP verbs accordingly.

    Next, in the App/Controllers directory, create a file called Client.php. The contents of the file should be as follows:

    <?phpnamespace App\Controllers;use App\Models\ClientModel;use CodeIgniter\HTTP\Response;use CodeIgniter\HTTP\ResponseInterface;use Exception;class Client extends BaseController{ /** * Get all Clients * @return Response */ public function index() { $model = new ClientModel(); return $this->getResponse( [ 'message' => 'Clients retrieved successfully', 'clients' => $model->findAll() ] ); } /** * Create a new Client */ public function store() { $rules = [ 'name' => 'required', 'email' => 'required|min_length[6]|max_length[50]|valid_email|is_unique[]', 'retainer_fee' => 'required|max_length[255]' ]; $input = $this->getRequestInput($this->request); if (!$this->validateRequest($input, $rules)) { return $this ->getResponse( $this->validator->getErrors(), ResponseInterface::HTTP_BAD_REQUEST ); } $clientEmail = $input['email']; $model = new ClientModel(); $model->save($input); $client = $model->where('email', $clientEmail)->first(); return $this->getResponse( [ 'message' => 'Client added successfully', 'client' => $client ] ); } /** * Get a single client by ID */ public function show($id) { try { $model = new ClientModel(); $client = $model->findClientById($id); return $this->getResponse( [ 'message' => 'Client retrieved successfully', 'client' => $client ] ); } catch (Exception $e) { return $this->getResponse( [ 'message' => 'Could not find client for specified ID' ], ResponseInterface::HTTP_NOT_FOUND ); } }}

    The index, store, and show functions are used to handle requests to view all clients, add a new client, and show a single client respectively.

    Next, create two functions update and destroy. The update function will be used to handle requests to edit a client. None of the fields are required hence any expected value that isn’t provided in the request is removed before updating the client in the database. The destroy function will handle requests to delete a particular client.

     public function update($id) { try { $model = new ClientModel(); $model->findClientById($id); $input = $this->getRequestInput($this->request); $model->update($id, $input); $client = $model->findClientById($id); return $this->getResponse( [ 'message' => 'Client updated successfully', 'client' => $client ] ); } catch (Exception $exception) { return $this->getResponse( [ 'message' => $exception->getMessage() ], ResponseInterface::HTTP_NOT_FOUND ); } } public function destroy($id) { try { $model = new ClientModel(); $client = $model->findClientById($id); $model->delete($client); return $this ->getResponse( [ 'message' => 'Client deleted successfully', ] ); } catch (Exception $exception) { return $this->getResponse( [ 'message' => $exception->getMessage() ], ResponseInterface::HTTP_NOT_FOUND ); } }

    With this in place, our API is set for consumption. Restart your application and test it by sending requests (via Postman, cURL, or your preferred application)

    $ php spark serve

    Add Access Token

    Once you are done with the registration and login process, copy the value of the access_token from the response. Next, click on the Authorization tab and select Bearer Token from the dropdown and paste the value of the access_token copied earlier:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (8)

    Create New Client

    To create a new client, send a POST HTTP request to http://localhost:8080/client:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (9)

    Get All Clients

    To fetch the list of Clients created so far, send a GET HTTP request to http://localhost:8080/client:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (10)

    Get Client by ID

    Retrieve the details of a particular client by sending a GET HTTP request to http://localhost:8080/client/1. In this case, 1 was used to specify the unique id of the client that needs to be fetched from the database:

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (11)

    Update Existing Client

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (12)

    Delete Existing Client

    Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (13)


    In this article, we create a PHP-based API using CodeIgniter. This allowed the execution of basic CRUD (Create, Read, Update, Delete) operations on a resource (Client). Additionally, we added a layer of security by restricting access to the resource. We also learned how to structure our project in a manner that separates concerns and makes our application loosely coupled.

    The entire codebase for this tutorial is available on GitHub. Feel free to explore further. Happy coding!

    Oluyemi is a tech enthusiast with a background in Telecommunication Engineering. With a keen interest to solve day to day problems encountered by users, he ventured into programming and has since directed his problem solving skills at building softwares for both web and mobile. A full stack software engineer with a passion for sharing knowledge, Oluyemi has published a good number of technical articles and content on several blogs on the internet. Being tech savvy, his hobbies include trying out new programming languages and frameworks.

    Rate this post


    • Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (14) Oluyemi Olususi


    (Video) Tutorial Web Service 9 - REST API Authentication Example in CodeIgniter with JSON Web Token Tutorial

    • Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (15) Marcus Battle
    • Create a Secured RESTful API with CodeIgniter and JSON Web Tokens (16) Diane Phan


How to create a REST API in codeigniter? ›

The process of creating REST API in Codeigniter covers the following steps:
  1. Installation of Codeigniter framework on Cloudways.
  2. Database and table(s) creation.
  3. Setup libraries and permissions.
  4. Setup authentication and API key(s)
  5. Setup HTTP calls (GET, PUT, POST, DELETE)
  6. Test the HTTP calls.
Sep 14, 2021

How to implement JWT in codeigniter? ›

CodeIgniter 4 JSON Web Token(JWT) Authentication
  1. Step 1: Install CodeIgniter 4. ...
  2. Step 2: Change CodeIgniter Environment. ...
  3. Step 3: Configure Database. ...
  4. Step 4: Create A Model and Migration. ...
  5. Step 5: Install JWT Package. ...
  6. Step 6: Create Controllers.
Jan 26, 2023

How to install JWT in codeigniter 3? ›

CodeIgniter Rest Server With JWT Authentication
  1. Import Database from /db/rest_jwt.db.
  2. Test it with postman/insomnia.
  3. Add this to body multipart form : username = dodi. password = dodi123.
  4. If your authentication success you will get generated token response.

How to create API in CodeIgniter 3 step by step? ›

Codeigniter 3 Restful API Tutorial
  1. Step 1: Create items Table. In first table we must have one table with some dummy records. ...
  2. Step 2: Create rest.php config file. In this step we need to add one config file for rest api configuration. ...
  3. Step 3: Create libraries files. ...
  4. Step 4: Create API Controller.
Sep 6, 2020

How to generate API token for REST API? ›

Generating an API token
  1. In Admin Center, click Apps and integrations in the sidebar, then select APIs > Zendesk APIs.
  2. Click the Settings tab, and make sure Token Access is enabled.
  3. Click the Add API token button to the right of Active API Tokens. ...
  4. Enter an API token description.

How to generate JSON Web token in JWT? ›

Generate a token in the website by using the following steps:
  1. Select the algorithm RS256 from the Algorithm drop-down menu.
  2. Enter the header and the payload. ...
  3. Download the private key from the /home/vol/privatekey. ...
  4. Enter the downloaded private key in the Private Key field of the Verify Signature section.

How do I manually generate a JWT token? ›

Creating a JWT token
  1. Create a header JSON object.
  2. Convert the header JSON object to a UTF-8 encoded string and base64url encode it. ...
  3. Create a claims JSON object, including a query string hash.
  4. Convert the claims JSON object to a UTF-8 encoded string and base64url encode it.
Feb 1, 2023

How to create API with token in PHP? ›

Use random_bytes() and bin2hex() function to generate unique and strong API keys in PHP. The following code snippet helps you to create a random and secure string with PHP which is useful for API key/token. $key = bin2hex(random_bytes(32)); The above code will output 64 characters long string.

How to secure API with JWT? ›

  1. Make sure that the JWT authentication is enabled for REST APIs by setting the value of servlet. jwt. auth. ...
  2. The incoming HTTP request for REST API call must contain the request header “Authorization” with scheme “Bearer” followed by JWT. The signature of the token and expiration date is verified by the system.

How do I get JWT tokens from API? ›

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

How do I add JWT token to Chrome? ›

How it works
  1. Install the Chrome extension.
  2. Open developer tools and select the JWT tab.
  3. Use a site which sends JWT bearer tokens in the Authorization HTTP header.
  4. See the token contents in the developer tools pane.

How to secure Web API in php? ›

The only prerequisites are PHP, Composer, and a free Okta developer account.
  1. Create the REST API Skeleton.
  2. Implement the Initial REST API Version.
  3. Using Okta and OAuth 2.0 to Secure the API.
  4. Setting Up Okta.
  5. Obtain an Access Token from Okta.
  6. Add Token Authorization to the API.
  7. Revoking the Access Token.
Jan 15, 2020

What is the use of API in CodeIgniter? ›

CodeIgniter provides an API Response trait that can be used with any controller to make common response types simple, with no need to remember which HTTP status code should be returned for which response types.

How to create API without framework? ›

How to Create a NodeJS API Without Using a Framework
  1. Step 1: Setting Up Your Development Environment. Create a project directory and cd into it by running: mkdir nodejs-api. ...
  2. Step 2: Connecting Your Application to a Database. ...
  3. Step 3: Creating an API Model. ...
  4. Step 4: Implementing Routing in Your Application.
Sep 17, 2022

What are the 4 components of REST API? ›

Any REST request includes four essential parts: an HTTP method, an endpoint, headers, and a body.

How to create REST API in JSON? ›

  1. First of all, ensure you have NodeJs and NPM installed.
  2. Create a folder name of your own choice on the desired location. For now, I have created with the name: Fake-APIs.
  3. Run npm init inside the folder. ...
  4. Run npm install — save json-server. ...
  5. We need to start our server now. ...
  6. You should see a file named db.
Jan 14, 2021

How to create REST API diagram? ›

Select Tools > Code > Generate REST API... from the toolbar. In the REST API window, keep Provider selected for API Type. By doing so, you will be able to generate API documentation as well as the server sample code that guides you in programming your service (logic). Check the Members resource to generate API.

How to create API with token? ›

  1. Create an API token.
  2. Enable CORS.
  3. Find your Okta domain.
  4. Find your application credentials.
  5. Share app key credentials for IdPs.
  6. Set up SAML Tracer.
  7. Upgrade SAML apps to SHA256.
  8. Sign Okta certs with your own CA.

How to secure REST API with token? ›

2. Best Practices to Secure REST APIs
  1. 2.1. Keep it Simple. Secure an API/System – just how secure it needs to be. ...
  2. 2.2. Always Use HTTPS. ...
  3. 2.3. Use Password Hash. ...
  4. 2.4. Never expose information on URLs. ...
  5. 2.5. Consider OAuth. ...
  6. 2.6. Consider Adding Timestamp in Request. ...
  7. 2.7. Input Parameter Validation.
Dec 30, 2022

How to create token-based web API? ›

To do so, add an empty Web API Controller, where we will add some action methods so that we can check the Token-Based Authentication is working fine or not. Go to Solution Explorer > Right click on the Controllers folder > Add > Controller > Select WEB API 2 Controller – Empty > Click on the Add button. >

What are the three parts of a JSON Web token? ›

Anatomy of a JWT

Figure 1 shows that a JWT consists of three parts: a header, payload, and signature.

How works a JSON Web token? ›

How do JSON Web Tokens work?
  1. The application or client requests authorization to the authorization server. ...
  2. When the authorization is granted, the authorization server returns an access token to the application.
  3. The application uses the access token to access a protected resource (like an API).

What is JSON Web token? ›

JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

How do I get a JWT token from my website? ›

To request an access token, send a POST request containing the JWT to the DocuSign authentication service. The response to a successful request will include your access token value.

Can we use JWT without authentication? ›

JWTs can be used as an authentication mechanism that does not require a database. The server can avoid using a database because the data store in the JWT sent to the client is safe.

How are JWT tokens generated? ›

How is a JWT token generated? We set the signing algorithm to be HMAC SHA256 (JWT supports multiple algorithms), then we create a buffer from this JSON-encoded object, and we encode it using base64. The partial result is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .

How to create API in PHP step by step? ›

  1. Create the PHP Project Skeleton for Your REST API.
  2. Configure a Database for Your PHP REST API.
  3. Add a Gateway Class for the Person Table.
  4. Implement the PHP REST API.
  5. Secure Your PHP REST API with OAuth 2.0.
  6. Add Authentication to Your PHP REST API.
Mar 8, 2019

How to create a JSON Web token using PHP? ›

How to Build a JSON Web Token in PHP
  1. Create the Header and Payload. To begin we need to create header and payload JSON strings. ...
  2. Create Base64Url Header and Payload Strings. ...
  3. Create the Signature. ...
  4. Base64Url Encode the Signature. ...
  5. Create the JSON Web Token.
Jan 31, 2018

How to use JWT authentication with Web API PHP? ›

How does JWT work
  1. The client sends it's credentials to the server.
  2. The server generates the token and sends it back to the client.
  3. The client issues a new request including the token.
  4. The server verifies the token and responds accordingly.
Nov 7, 2021

What is the best way to secure a Web API? ›

Use strong and secure authentication methods: The API should use strong and secure authentication methods, such as hashed and salted passwords or two-factor authentication.

How do I secure my Web API? ›


HTTPS and Transport Layer Security (TLS) offer a secured protocol to transfer encrypted data between web browsers and servers. Apart from other forms of information, HTTPS also helps to protect authentication credentials in transit.

How to secure an API without authentication? ›

Encryption — Having encryption enabled on the API and using https using TLS secures the channel as well as the information sent. Rate limiting and throttling — Limiting the number of requests coming into an API helps prevent abuse.

What is the difference between JWT and token? ›

The main difference between JWTs and opaque tokens is that an unencrypted JWT can be interpreted by anybody that holds the token, whereas opaque tokens cannot. An unencrypted JWT consists of three parts: a header, a payload, and a signature.

How do I send a token as an API request? ›

When you put a VerifyAccessToken policy at the front of your API proxy flow, apps must present a verifiable access token (also called a "bearer token") to consume your API. To do this, the app sends the access token in the request as an "Authorization" HTTP header.

What is the difference between JWT and API key? ›

The main difference between API Key auth and JWT token auth is that the JWT Token is self-contained - the information asserted by the token is in the token. Whereas with an API Key the asserted information is stored in an external system.

Does Google use JWT for authentication? ›

With some Google APIs, you can make authorized API calls using a signed JWT instead of using OAuth 2.0, which can save you a network request.

How to add token to API URL? ›

Getting the token
  1. Go to https://<your server>/comGpsGate/api/v. 1/test where <your server> is your server URL. ...
  2. Go to the Tokens resources section and click to expand it.
  3. Enter the applicationID, username and password, and click on Execute. ...
  4. Copy/save this authorization key for later use.
Jul 26, 2022

How do I enable JWT authentication? ›

Install the DNN JWT Auth Handler. Go to Host > Extensions.
(Optional) Enable JWT authentication for all Web API requests.
  1. Access the web. config file.
  2. Search for the newly-added JWTAuth line inside the <messageHandlers/> section.
  3. Change JWTAuth's enabled and defaultInclude attributes to "true".

Why CodeIgniter is better than PHP? ›

Most PHP-based web applications lack the cache feature in them, but CodeIgniter comes with the cache library to develop web applications that run faster than the other PHP frameworks. And lastly, CodeIgniter has a very active and effective community, just like WordPress.

What is the advantage of CodeIgniter? ›

It makes it easier for programmers to write secure PHP applications by providing several features. CodeIgniter framework can easily tackle threats like SQL injection, cross-site scripting attacks, and remote code execution. Moreover, its cookie encryption and decryption features enhance the product development process.

Why is CodeIgniter better? ›

Codeigniter is popular because of its MVC structure. This structure makes it easy to write clean and simple code. It also allows a developer to isolate parts of their code that they don't want users to access. The model-view-Controller architecture gives developers total control over how their applications work.

How do I create an API easily? ›

How to Create an API
  1. Determine Your Requirements. First, you'll need to determine your API requirements. ...
  2. Design Your API. Next, you'll need to consider API design. ...
  3. Develop Your API. Now, it's time to start developing your API product. ...
  4. Test Your API. ...
  5. Publish/Deploy Your API. ...
  6. Monitor Your API.
Feb 7, 2023

Can I build my own API? ›

Creating your own APIs can seem daunting if you're new to the practice, but sticking to a design-first approach will keep you on the right track. A simple three-step process—design, verify, code—can increase your chances of building an API that benefits the people who use it.

What is the easiest way to implement API? ›

The easiest way to start using an API is by finding an HTTP client online, like REST-Client, Postman, or Paw. These ready-to-use tools help you structure your requests to access existing APIs.

How to create a simple REST API in PHP? ›

Building A REST API
  1. → STEP #1. You can skip this step if you already have PHP installed on your computer. ...
  2. → STEP #2. Since PHP is a server-side language, you need to set up a server. ...
  3. → STEP #3. Now navigate to where you have installed XAMPP. ...
  4. → STEP #4. Now create another directory called server inside rest-api .
Mar 28, 2022

How do I create a custom REST API? ›

  1. Create an integration with an external API.
  2. Create a custom REST API.
  3. Create an access control list (ACL) rule.
  4. Create a custom import entity.
  5. Convert serialized to JSON.
  6. Copy fieldsets.
  7. Modify media library folder permissions.
Mar 4, 2023

How to create REST API with Lambda? ›

  1. Create a "Hello, World!" Lambda function. This function returns a greeting to the caller as a JSON object in the following format: ...
  2. Create a "Hello, World!" API. Now create an API for your "Hello, World!" Lambda function by using the API Gateway console. ...
  3. Deploy and test the API. Deploy the API in the API Gateway console.

How to get JSON data from REST API in PHP? ›

To get JSON from a REST API endpoint using PHP, you must send an HTTP GET request to the REST API server and provide an Accept: application/json request header. The Accept: application/json header tells the REST API server that the API client expects to receive data in JSON format.

How to generate token in REST API in PHP? ›

Table of Contents
  1. Create a file for creating a user.
  2. Connect to database and user table.
  3. Assign submitted data to object properties.
  4. Use the create() method.
  5. Create the user object class.
  6. Add a create() method.
  7. Output.
Sep 19, 2018

How to create REST API in PHP JSON? ›

How to develop an API with PHP, JSON, and POSTMAN in 9 Steps
  1. Establish Database.
  2. Provide Data in Database.
  3. Connect Database with PHP.
  4. Build API – GET Request.
  5. Test API with POSTMAN.
  6. Create API – GET Single data.
  7. Develop an API – POST Request for Insert & Update.
  8. Build API – DELETE Request.
Aug 31, 2022

Can I create my own API? ›

The easiest way to develop your API product is to use a tool. For instance, you can build your API using Akana. With Akana, you have two ways to develop your API: Create an API product that exposes ('proxies') an existing resource.

How to create service request through REST API? ›

To create a web service request definition
  1. Log in to BMC Helix Innovation Studio.
  2. On the Workspace tab, select the application from which you want to connect to a RESTful service.
  3. Click the Web APIs tab and click New.
  4. On the Properties tab, provide a name for the RESTful Service, such as JIRA API.
Dec 16, 2020

What is a REST API example? ›

For example, a REST API would use a GET request to retrieve a record, a POST request to create one, a PUT request to update a record, and a DELETE request to delete one. All HTTP methods can be used in API calls. A well-designed REST API is similar to a website running in a web browser with built-in HTTP functionality.

How to use JSON API in PHP? ›

Example explained:
  1. Define an object containing a "limit" property and value.
  2. Convert the object into a JSON string.
  3. Send a request to the PHP file, with the JSON string as a parameter.
  4. Wait until the request returns with the result (as JSON)
  5. Display the result received from the PHP file.

Is PHP good for REST API? ›

In PHP, there are several frameworks available that make it easy to create REST APIs, including Laravel, Slim, and Lumen. These frameworks provide a range of features and libraries to help developers create APIs quickly and efficiently, including support for routing, request and response handling, and data validation.

What is the difference between Lambda and API? ›

Key Differences Between AWS Lambda Function URLs & Amazon API Gateway. API Gateway supports Caching, proxy to AWS services, WebSocket, Usage Plan, Manage API key & Access logs in CloudWatch, these are features not available in Lambda function URL. API Gateway supports Custom Domain & Integration with AWS WAF.

How do I create an API in API Gateway? ›

Create an HTTP API by using the AWS Management Console
  1. Open the API Gateway console .
  2. Choose Create API.
  3. Under HTTP API, choose Build.
  4. Choose Add integration, and then choose an AWS Lambda function or enter an HTTP endpoint.
  5. For Name, enter a name for your API.
  6. Choose Review and create.
  7. Choose Create.

What is REST API Gateway? ›

A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can use API Gateway features to help you with all aspects of the API lifecycle, from creation through monitoring your production APIs.


1. 7 - Codeigniter 3 Authenticate Api Request with JWT Token
(The Quick Sol)
2. RESTful Api in Codeigniter 3 - Login Registration using Postman
(Codex Time)
3. CodeIgniter 4 API Development Using JWT Authentication | Skillshike | RESTful APIs using JWT
(Online Web Tutor)
4. 5 - Login with Codeigniter3 based on JWT Token
(The Quick Sol)
5. Quick and simple Rest api in codeigniter tutorial
(Code Step By Step)
6. Jwt in php codeigniter | How to add JWT Authentication to a CodeIgniter 3 REST API | codeigniter
(Developer City)
Top Articles
Latest Posts
Article information

Author: Rev. Porsche Oberbrunner

Last Updated: 05/26/2023

Views: 5559

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.