Skip to content
rw3iss Auth

RequireServiceToken

class rw3iss\AuthServer\Laravel\Middleware\RequireServiceToken src/Middleware/RequireServiceToken.php ↗

vauth.service_only — the INBOUND half of service-to-service auth: accept only machine credentials (service-principal tokens minted via the auth-server’s client_credentials grant), never end-user tokens. Mirrors the Nest adapter’s ServiceOnlyGuard.

Optional middleware parameters are required scopes (ALL must be present on the token). Colons inside scope codes are fine — Laravel only splits the alias on the first ’:’ —

Route::post(‘/partner/publish’, …) ->middleware(‘vauth.service_only:gsku:publish’);

On success the ServicePrincipal is exposed as the AuthClient’s current principal and as the ven_service request attribute:

$svc = $request->attributes->get(‘ven_service’); // ServicePrincipal $svc->serviceName; $svc->hasScope(‘gsku:publish’);

Failure shapes (JSON envelope via ResponseHelpers): 401 UNAUTHENTICATED — missing / invalid / expired bearer 403 SERVICE_REQUIRED — a valid USER token (humans don’t belong here) 403 MISSING_SCOPE — service token lacking a required scope