oauth2-server/resource-server-securing-api.md

---
layout: default
title: Securing your API
permalink: /resource-server/securing-your-api/
---

# Securing your API

This library provides a PSR-7 friendly resource server middleware that can validate access tokens.

## Setup

Wherever you intialize your objects, initialize a new instance of the resource server with the storage interfaces:

{% highlight php %}
// Init our repositories
$accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface

// Path to authorization server's public key
$publicKey = 'file://path/to/public.key';
        
// Setup the authorization server
$server = new \League\OAuth2\Server\ResourceServer(
    $accessTokenRepository,
    $publicKeyPath
);
{% endhighlight %}

Then add the middleware to your stack:

{% highlight php %}
new \League\OAuth2\Server\Middleware\ResourceServerMiddleware($server);
{% endhighlight %}

## Implementation

The authorization header on an incoming request will automatically be validated.

If the access token is valid the following attributes will be set on the ServerRequest:

* `oauth_access_token_id` - the access token identifier
* `oauth_client_id` - the client identifier
* `oauth_user_id` - the user identifier represented by the access token
* `oauth_scopes` - an array of string scope identifiers

If the authorization is invalid an instance of `OAuthServerException::accessDenied` will be thrown.
Updated docs 2014-09-30 22:44:18 +01:00			`---`
			`layout: default`
			`title: Securing your API`
			`permalink: /resource-server/securing-your-api/`
			`---`

			`# Securing your API`

Updated securing API docs 2016-03-24 15:45:40 +00:00			`This library provides a PSR-7 friendly resource server middleware that can validate access tokens.`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`## Setup`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`Wherever you intialize your objects, initialize a new instance of the resource server with the storage interfaces:`

			`{% highlight php %}`
			`// Init our repositories`
Doc improvements 2016-04-17 13:16:40 +01:00			`$accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface`
Updated securing API docs 2016-03-24 15:45:40 +00:00
Doc improvements 2016-04-17 13:16:40 +01:00			`// Path to authorization server's public key`
			`$publicKey = 'file://path/to/public.key';`
Updated securing API docs 2016-03-24 15:45:40 +00:00
			`// Setup the authorization server`
Doc improvements 2016-04-17 13:16:40 +01:00			`$server = new \League\OAuth2\Server\ResourceServer(`
Updated securing API docs 2016-03-24 15:45:40 +00:00			`$accessTokenRepository,`
			`$publicKeyPath`
Updated docs 2014-09-30 22:44:18 +01:00			`);`
Updated securing API docs 2016-03-24 15:45:40 +00:00			`{% endhighlight %}`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`Then add the middleware to your stack:`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`{% highlight php %}`
			`new \League\OAuth2\Server\Middleware\ResourceServerMiddleware($server);`
			`{% endhighlight %}`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`## Implementation`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`The authorization header on an incoming request will automatically be validated.`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			`If the access token is valid the following attributes will be set on the ServerRequest:`
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			* `oauth_access_token_id` - the access token identifier
			* `oauth_client_id` - the client identifier
			* `oauth_user_id` - the user identifier represented by the access token
			* `oauth_scopes` - an array of string scope identifiers
Updated docs 2014-09-30 22:44:18 +01:00
Updated securing API docs 2016-03-24 15:45:40 +00:00			If the authorization is invalid an instance of `OAuthServerException::accessDenied` will be thrown.