Tag Build Status Code Climate

This gem provides the extracted Token Authenticatable module of devise. It includes the functionality that was also in version 3.1.2 of devise. With the inclusion of this module a user is able to sign in via an authentication token. This token can be given via a query string or HTTP Basic Authentication. See the hint below to understand which version of this gem supports which version of devise.

Use this gem as a starting point for your own token authentication mechanism for devise. Furthermore, if you need token authentication in connection with newer devise releases this gem might be an appropriate solution, too.


Add this line to your application's Gemfile:

gem 'devise-token_authenticatable'

And then execute:

$ bundle

Or install it yourself as:

$ gem install devise-token_authenticatable

Which version to use for which version of devise?

devise-token_authenticatable devise
~> 0.1 ~> 3.2.0
~> 0.2 ~> 3.3.0
~> 0.3 ~> 3.4.0
~> 0.4.0, < 0.4.9 ~> 3.5.0, < 3.5.2
~> 0.4.9 ~> 3.5.2
~> 0.5.x, <= 1.0.2 >= 4.0.0, < 4.6.0
~> 1.1.0 >= 4.0.0, < 5.0.0


Create needed columns with corresponding migration:

  def change
    add_column :users, :authentication_token, :text
    add_column :users, :authentication_token_created_at, :datetime

    add_index :users, :authentication_token, unique: true

Add :token_authenticatable to your devise model:

class User < ActiveRecord::Base
  devise :database_authenticatable, :token_authenticatable


This gem can be configured as shown in the following:

Devise::TokenAuthenticatable.setup do |config|
  # enables the expiration of a token after a specified amount of time,
  # requires an additional field on the model: `authentication_token_created_at`
  # defaults to nil
  config.token_expires_in =

  # set the authentication key name used by this module,
  # defaults to :auth_token
  config.token_authentication_key = :other_key_name

  # enable reset of the authentication token before the model is saved,
  # defaults to false
  config.should_reset_authentication_token = true

  # enables the setting of the authentication token - if not already - before the model is saved,
  # defaults to false
  config.should_ensure_authentication_token = true

Enable devise's HTTP Auth for the token strategy as shown below:

# initializers/devise.rb
Devise.setup do |config|
  # ...
  config.http_authenticatable = true
  # or
  config.http_authenticatable = [:token]
  # ...


Using a new user's auth token does not result in invalidating an old users session. How can I ignore session storage when using token authentication?

Add :token_auth to your devise configuration:

Devise.setup do |config|
  config.skip_session_storage = [:http_auth, :token_auth]


For your convenience there is also a source code documentation.


  1. Fork it.
  2. Create your feature branch (git checkout -b my-new-feature).
  3. Commit your changes (git commit -am 'Add some feature').
  4. Push to the branch (git push origin my-new-feature).
  5. Create new Pull Request.
  6. Get a thank you!