Skip to content

feat(jetstream): enable read-only personal access tokens #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vcnainala wants to merge 2 commits into
base: development
Choose a base branch
from
Open

feat(jetstream): enable read-only personal access tokens #793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd871bc
feat(jetstream): enable read-only personal access tokens in UI
vcnainala Jun 1, 2026
aae0217
docs(api): document personal access tokens
vcnainala Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions app/Providers/JetstreamServiceProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,9 @@ public function boot(): void
*/
protected function configurePermissions(): void
{
// Sanctum PAT abilities are scoped to read only. REST authorization uses Spatie via policies.
Jetstream::defaultApiTokenPermissions(['read']);

Jetstream::permissions([
'create',
'read',
'update',
'delete',
]);
Jetstream::permissions(['read']);
}
}
2 changes: 1 addition & 1 deletion config/jetstream.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
'features' => [
// Features::termsAndPrivacyPolicy(),
Features::profilePhotos(),
// Features::api(),
Features::api(),
// Features::teams(['invitations' => true]),
Features::accountDeletion(),
],
Expand Down
10 changes: 9 additions & 1 deletion docs/api-documentation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,15 @@ POST /api/auth/login
:::info
The token is of **Bearer** type. This has to be supplied in the headers of the requests. In case you are using the [swagger UI of the API](https://coconut.naturalproducts.net/api-documentation), click on the **Authorize** button and provide the token as per the instruction.
:::

### Personal Access Tokens

Verified users can create long-lived **Personal Access Tokens** from the web application: account menu → **Personal Access Tokens** (`/user/api-tokens`). Use the token in the `Authorization` header as `Bearer <token>`.

- Sanctum token abilities are limited to **read** at the token layer.
- What you can do on the API (search, mutate, delete, and so on) is controlled by **Spatie permissions** on your user account, enforced through Lomkit policies—not by the token ability checkboxes.
- Login and register responses return a separate short-lived `auth_token`; personal access tokens are intended for scripts and integrations you name and manage yourself.

### Logout
```
GET /api/auth/logout
Expand Down Expand Up @@ -103,7 +112,6 @@ Search Molecules using various attributes. There are two tables invovled in this
The fields in the *molecules* table can be accessed directly with their column names. The fields in the *properties* table are to be accessed prefixing them with the table name. Ex: **properties.field-name**.
:::


**Request Body Example (application/json):**
```json
{
Expand Down
9 changes: 6 additions & 3 deletions tests/Feature/ApiTokenPermissionsTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,21 +25,24 @@ public function test_api_token_permissions_can_be_updated(): void
$token = $user->tokens()->create([
'name' => 'Test Token',
'token' => Str::random(40),
'abilities' => ['create', 'read'],
'abilities' => ['read'],
]);

Livewire::test(ApiTokenManager::class)
->set(['managingPermissionsFor' => $token])
->set(['updateApiTokenForm' => [
'permissions' => [
'read',
'delete',
'missing-permission',
],
]])
->call('updateApiToken');

$this->assertTrue($user->fresh()->tokens->first()->can('delete'));
$this->assertFalse($user->fresh()->tokens->first()->can('read'));
$this->assertTrue($user->fresh()->tokens->first()->can('read'));
$this->assertFalse($user->fresh()->tokens->first()->can('delete'));
$this->assertFalse($user->fresh()->tokens->first()->can('missing-permission'));
$this->assertFalse($user->fresh()->tokens->first()->can('create'));
$this->assertFalse($user->fresh()->tokens->first()->can('update'));
}
}
2 changes: 1 addition & 1 deletion tests/Feature/CreateApiTokenTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,14 @@ public function test_api_tokens_can_be_created(): void
'name' => 'Test Token',
'permissions' => [
'read',
'update',
],
]])
->call('createApiToken');

$this->assertCount(1, $user->fresh()->tokens);
$this->assertEquals('Test Token', $user->fresh()->tokens->first()->name);
$this->assertTrue($user->fresh()->tokens->first()->can('read'));
$this->assertFalse($user->fresh()->tokens->first()->can('update'));
$this->assertFalse($user->fresh()->tokens->first()->can('delete'));
}
}
Loading