// the find
rootstrap/rails_api_base
API boilerplate project for Ruby on Rails 8
A Rails 8 API boilerplate from Rootstrap that gives you a working authentication stack (Devise + devise_token_auth), admin panel, background jobs, feature flags, and OpenAPI docs out of the box. Aimed at teams starting a new JSON API and wanting to skip the first week of setup. Best for shops already sold on the Rails ecosystem.
Pundit + Devise Token Auth is a reasonable auth combination that many production Rails APIs actually use, so you're not fighting the grain later. The toolchain is genuinely complete: Brakeman for security, Prosopite for N+1 detection, Strong Migrations to catch dangerous schema changes — these are exactly the tools you'd add yourself in the first month anyway. GoodJob for background processing is a solid default that avoids a Redis dependency while still being production-worthy. The `bootstrap.sh` script that renames the app throughout the codebase is a small but useful touch that many boilerplates skip.
Ruby 4.0 listed in the README against Rails 8.1 is a red flag — Ruby 4.0 doesn't exist yet, which suggests the README isn't kept in sync with actual versions. Devise Token Auth is a header-based token scheme that the maintainer has described as in maintenance mode; anyone building a new API in 2025 should probably be looking at session cookies or a proper OAuth flow instead. The gem list is heavy — 30+ gems before you write a line of business logic means a non-trivial boot time and a dependency surface you'll be auditing for years. YAAF (form objects) is a rootstrap-internal gem with minimal adoption outside the company, which is a quiet vendor lock-in risk.