Skip to content
rw3iss Auth

ServiceTokenManager

class rw3iss\AuthServer\Laravel\Service\ServiceTokenManager src/Service/ServiceTokenManager.php ↗

Mint + cache machine-to-machine (service) access tokens for OUTBOUND calls to other rw3iss services — the Laravel mirror of the Nest adapter’s ServiceAuthClient.

Backed by the auth-server’s OAuth2 client_credentials grant (POST /oauth/token, migration 012’s m2m_clients registry). The minted token is a service principal (token_type: "service") whose scopes claim the RECEIVING service enforces — see the vauth.service_only middleware for the inbound half.

Usage:

$token = app(ServiceTokenManager::class)->token(); // or VenService::token() Http::withToken($token)->post(‘https://globalsku.app/api/…’, $payload); // or the registered macro: Http::withVenServiceToken()->post(’…’);

Tokens are cached in the configured Laravel cache store under vauth:svc_token:{client_id} until expires_in − ttl_margin seconds, so a busy app mints at most once per expiry window (the auth-server’s service tokens are short-lived — typically 15m).

Credentials come from config/vauth.phpservice.* (AUTH_M2M_CLIENT_ID / AUTH_M2M_CLIENT_SECRET / AUTH_M2M_SCOPES). The secret is minted once via POST /admin/m2m-clients (system_admin) — see docs/SERVICE_TOKENS.md.

Methods

__construct()

function __construct(
private readonly AuthClient $client,
private readonly CacheRepository $cache,
private readonly string $clientId,
private readonly string $clientSecret,
private readonly array $scopes = [],
private readonly int $ttlMarginSeconds = 60,
)

Parameters

  • $scopeslist<string> · empty = the client’s full configured scope set (server-side default)

token()

function token(): string

The current service access token — cached, re-minted when the cache entry has expired (i.e. the token is within ttl_margin of its own expiry).

Throws

  • VenAuthException when the grant fails (bad credentials, revoked client, auth-server unreachable)

fresh()

function fresh(): string

Force a re-mint (e.g. after a downstream 401 that suggests the cached token was revoked early) and refresh the cache.

forget()

function forget(): void

Drop the cached token (next call re-mints).

authorizationHeader()

function authorizationHeader(): string

Convenience: the full Authorization header value.