ServiceTokenManager
Mint + cache machine-to-machine (service) access tokens for OUTBOUND calls to other rw3iss services — the Laravel mirror of the Nest adapter’s ServiceAuthClient.
Backed by the auth-server’s OAuth2 client_credentials grant
(POST /oauth/token, migration 012’s m2m_clients registry). The
minted token is a service principal (token_type: "service") whose
scopes claim the RECEIVING service enforces — see the
vauth.service_only middleware for the inbound half.
Usage:
$token = app(ServiceTokenManager::class)->token(); // or VenService::token() Http::withToken($token)->post(‘https://globalsku.app/api/…’, $payload); // or the registered macro: Http::withVenServiceToken()->post(’…’);
Tokens are cached in the configured Laravel cache store under
vauth:svc_token:{client_id} until expires_in − ttl_margin
seconds, so a busy app mints at most once per expiry window (the
auth-server’s service tokens are short-lived — typically 15m).
Credentials come from config/vauth.php → service.*
(AUTH_M2M_CLIENT_ID / AUTH_M2M_CLIENT_SECRET / AUTH_M2M_SCOPES).
The secret is minted once via POST /admin/m2m-clients
(system_admin) — see docs/SERVICE_TOKENS.md.
Methods
__construct()
function __construct( private readonly AuthClient $client, private readonly CacheRepository $cache, private readonly string $clientId, private readonly string $clientSecret, private readonly array $scopes = [], private readonly int $ttlMarginSeconds = 60,)Parameters
$scopes—list<string>· empty = the client’s full configured scope set (server-side default)
token()
function token(): stringThe current service access token — cached, re-minted when the cache entry has expired (i.e. the token is within ttl_margin of its own expiry).
Throws
VenAuthException when the grant fails (bad credentials, revoked client, auth-server unreachable)
fresh()
function fresh(): stringForce a re-mint (e.g. after a downstream 401 that suggests the cached token was revoked early) and refresh the cache.
forget()
function forget(): voidDrop the cached token (next call re-mints).
authorizationHeader()
function authorizationHeader(): stringConvenience: the full Authorization header value.