Rails-API authentication solution based on JWT and inspired by Devise.
This is documentation for version 1.x
. If you are using 0.x
version use this
Add this line to your application's Gemfile:
gem 'rails_jwt_auth'
And then execute:
$ bundle
Or install it yourself as:
$ gem install rails_jwt_auth
Finally execute:
rails g rails_jwt_auth:install
Only for ActiveRecord, generate migrations:
rails g rails_jwt_auth:migrate
You can edit configuration options into config/initializers/auth_token_auth.rb
file created by generator.
Option | Default value | Description |
model_name | 'User' | Authentication model name |
auth_field_name | 'email' | Field used to authenticate user with password |
email_auth_field | 'email' | Field used to send emails |
jwt_expiration_time | 7.days | Tokens expiration time |
jwt_issuer | 'RailsJwtAuth' | The "iss" (issuer) claim identifies the principal that issued the JWT |
simultaneous_sessions | 2 | Number of simultaneous sessions for an user. Set 0 to disable sessions |
mailer_sender | E-mail address which will be shown in RailsJwtAuth::Mailer | |
confirmation_expiration_time | 1.day | Confirmation token expiration time |
reset_password_expiration_time | 1.day | Confirmation token expiration time |
deliver_later | false | Uses deliver_later method to send emails |
invitation_expiration_time | 2.days | Time an invitation is valid and can be accepted |
confirmations_url | nil | Url used to create email link with confirmation token |
reset_passwords_url | nil | Url used to create email link with reset password token |
set_passwords_url | nil | Url used to create email link with set password token |
invitationss_url | nil | Url used to create email link with invitation token |
Module | Description |
Authenticable | Hashes and stores a password in the database to validate the authenticity of a user while signing in |
Confirmable | Sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in |
Recoverable | Resets the user password and sends reset instructions |
Trackable | Tracks sign in timestamps and IP address |
Invitable | Allows you to invite an user to your application sending an invitation mail |
For next examples auth_field_name
and email_field_name
are configured to use the field email
# app/models/user.rb
class User < ApplicationRecord
include RailsJwtAuth::Authenticatable
include RailsJwtAuth::Confirmable
include RailsJwtAuth::Recoverable
include RailsJwtAuth::Trackable
include RailsJwtAuth::Invitable
validates :email, presence: true,
uniqueness: true,
format: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
Ensure you have executed migrate task: rails g rails_jwt_auth:migrate
and you have uncomented all modules fields.
class User
include Mongoid::Document
include RailsJwtAuth::Authenticatable
include RailsJwtAuth::Confirmable
include RailsJwtAuth::Recoverable
include RailsJwtAuth::Trackable
include RailsJwtAuth::Invitable
field :email, type: String
validates :email, presence: true,
uniqueness: true,
format: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
RailsJwtAuth will create some helpers to use inside your controllers.
To use this helpers we need to include AuthenticableHelper
into ApplicationController
# app/controllers/application_controller.rb
class ApplicationController < ActionController::API
include RailsJwtAuth::AuthenticableHelper
Authenticate your controllers:
class MyController < ApplicationController before_action :authenticate! end
This helper expect that token has been into AUTHORIZATION header.
Return current signed-in user.
Verify if a user is signed in.
Session api is defined by RailsJwtAuth::SessionsController
- Get session token:
url: host/session,
method: POST,
data: {
session: {
email: "[email protected]",
password: "12345678"
- Delete session
url: host/session,
method: DELETE,
headers: { 'Authorization': 'Bearer auth_token'}
Registration api is defined by RailsJwtAuth::RegistrationsController
- Register user:
url: host/registration,
method: POST,
data: {
user: {
email: "[email protected]",
password: "12345678"
- Delete user:
url: host/registration,
method: DELETE,
headers: { 'Authorization': 'Bearer auth_token'}
Confirmation api is defined by RailsJwtAuth::ConfirmationsController
- Confirm user:
url: host/confirmation,
method: PUT
data: {
confirmation_token: "token"
- Create confirmation (resend confirmation email):
url: host/confirmation,
method: POST,
data: {
confirmation: {
email: "[email protected]"
Password api is defined by RailsJwtAuth::PasswordsController
- Send reset password email:
url: host/password,
method: POST,
data: {
password: {
email: "[email protected]"
- Update password:
url: host/password,
method: PUT,
data: {
reset_password_token: "token",
password: {
password: '1234',
password_confirmation: '1234'
Invitations api is provided by RailsJwtAuth::InvitationsController
- Create an invitation and send email:
url: host/invitations,
method: POST,
data: {
invitation: {
email: "[email protected]",
// More fields of your user
- Accept an invitation:
url: host/invitations/:invitation_token,
method: PUT,
data: {
invitation: {
password: '1234',
password_confirmation: '1234'
Note: To add more fields, see "Custom strong parameters" below.
You can overwrite RailsJwtAuth controllers to edit actions, responses, permitted parameters...
For example, if we want to call custom method when user is created we need to create new registration controller inherited from default controller:
# app/controllers/registrations_controller.rb
class RegistrationsController < RailsJwtAuth::RegistrationsController
def create
user = RailsJwtAuth.model.new(create_params)
And edit route resource to use it:
# config/routes.rb
resource :registration, controller: 'registrations', only: [:create, :update, :destroy]
If you need edit default payload used to generate jwt you can overwrite the method to_token_payload
into your User class:
class User < ApplicationRecord
include RailsJwtAuth::Authenticatable
def to_token_payload(request)
auth_token: regenerate_auth_token,
# add here your custom info
You can overwrite RailsJwtAuth::RenderHelper
to customize controllers responses.
You can overwrite RailsJwtAuth::ParamsHelper
to customize controllers strong parameters.
This is a controller example that allows users to edit their email
and password
class CurrentUserController < ApplicationController
before_action 'authenticate!'
def update
if update_params[:password]
def update_params
params.require(:user).permit(:email, :current_password, :password)
This is a controller example that allows admins to register users with random password and send email to reset it.
If registration is sucess it will send email to set_password_url
with reset password token.
class UsersController < ApplicationController
before_action 'authenticate!'
def create
user = User.new(create_params)
user.set_and_send_password_instructions ? render_204 : render_422(user.errors.details)
def create_params
Require the RailsJwtAuth::Spec::Helpers helper module in rails_helper.rb
require 'rails_jwt_auth/spec_helpers'
RSpec.configure do |config|
config.include RailsJwtAuth::Spec::Helpers, :type => :controller
And then we can just call sign_in(user) to sign in as a user:
describe ExampleController
it "blocks unauthenticated access" do
expect { get :index }.to raise_error(RailsJwtAuth::Errors::NotAuthorized)
it "allows authenticated access" do
sign_in user
get :index
expect(response).to be_success
Copy config/locales/en.yml
into your project config/locales
folder and edit it.
The gem is available as open source under the terms of the MIT License.