RequireServiceToken
vauth.service_only — the INBOUND half of service-to-service auth:
accept only machine credentials (service-principal tokens minted via
the auth-server’s client_credentials grant), never end-user tokens.
Mirrors the Nest adapter’s ServiceOnlyGuard.
Optional middleware parameters are required scopes (ALL must be present on the token). Colons inside scope codes are fine — Laravel only splits the alias on the first ’:’ —
Route::post(‘/partner/publish’, …) ->middleware(‘vauth.service_only:gsku:publish’);
On success the ServicePrincipal is exposed as the AuthClient’s
current principal and as the ven_service request attribute:
$svc = $request->attributes->get(‘ven_service’); // ServicePrincipal $svc->serviceName; $svc->hasScope(‘gsku:publish’);
Failure shapes (JSON envelope via ResponseHelpers): 401 UNAUTHENTICATED — missing / invalid / expired bearer 403 SERVICE_REQUIRED — a valid USER token (humans don’t belong here) 403 MISSING_SCOPE — service token lacking a required scope