// the find
lynndylanhurley/devise_token_auth
Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth.
Token-based authentication gem for Rails API backends, built on top of Devise and OmniAuth. It stores multiple token-per-client in the database and rotates them on every request — the right approach for SPA/mobile backends that can't use cookies. Aimed at Rails devs who already know Devise and want token auth without rolling it from scratch.
- Per-client token storage means one compromised token doesn't kill all sessions — each device gets its own entry in the tokens hash, which is a meaningful security property most homebrew implementations skip.
- Built on Devise, so you inherit the full Devise ecosystem: confirmable, lockable, recoverable, OmniAuth providers all just work without reimplementing them.
- OmniAuth integration is first-class — OAuth2 flows with providers like Google/GitHub are handled, not bolted on as an afterthought.
- Good test coverage with a full dummy Rails app in the test suite; tests cover custom controller overrides, multiple user models, and Mongoid alongside ActiveRecord.
- The token rotation model (new token on every request) breaks with parallel requests — two simultaneous API calls will race and one will 401, a known design flaw that has never been cleanly solved and is papered over with a batch request window config.
- Gemfiles in the tree go up to Rails 7.0 — no Rails 7.1 or 8.x Appraisals listed, so compatibility with newer Rails versions is unverified and the community maintainership is thin.
- Storing tokens as a JSON hash in a single `tokens` column means you can't query or expire individual sessions via SQL without deserializing — not great if you need audit logs or admin-forced session revocation at scale.
- The client-side companion libraries it was designed for (ng-token-auth, jToker) are effectively abandoned; anyone starting fresh today is integrating this manually against whatever frontend they have, with no maintained reference client.