DEV Community: Vikas Kamboj The latest articles on DEV Community by Vikas Kamboj (@vikas_kambojindglobal). https://dev.to/vikas_kambojindglobal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3975240%2F7d2578a1-5a7c-4928-be5a-bdac313a636d.png DEV Community: Vikas Kamboj https://dev.to/vikas_kambojindglobal en Building a Versioned REST API with Authentication in Yii2 Advanced Vikas Kamboj Tue, 09 Jun 2026 05:51:03 +0000 https://dev.to/vikas_kambojindglobal/building-a-versioned-rest-api-with-authentication-in-yii2-advanced-566b https://dev.to/vikas_kambojindglobal/building-a-versioned-rest-api-with-authentication-in-yii2-advanced-566b <p>Yii2 Advanced comes with separate applications for <code>frontend</code>, <code>backend</code>, <code>console</code>, and shared code in <code>common</code>. It does not include an <code>api</code> application by default, but Yii2 Advanced is designed in a way that makes adding one straightforward.</p> <p>In this post, we’ll create a separate API application, configure REST routes, add versioned URLs like <code>/v1/users</code> and <code>/v2/users</code>, and prepare the structure for authentication.</p> <h2> Yii2 Advanced Project Structure </h2> <p>A default Yii2 Advanced project usually looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>backend/ common/ console/ frontend/ vendor/ composer.json </code></pre> </div> <p>To build an API, create a new application folder at the same level as <code>frontend</code> and <code>backend</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/ </code></pre> </div> <p>After adding it, your structure becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/ backend/ common/ console/ frontend/ vendor/ composer.json </code></pre> </div> <h2> Creating the API Application </h2> <p>Inside the <code>api</code> folder, create this structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/ config/ main.php main-local.php params.php controllers/ modules/ runtime/ web/ index.php </code></pre> </div> <p>The <code>api/web</code> folder is the public document root for the API application.</p> <h2> Creating <code>api/web/index.php</code> </h2> <p>Create the entry file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nb">defined</span><span class="p">(</span><span class="s1">'YII_DEBUG'</span><span class="p">)</span> <span class="k">or</span> <span class="nb">define</span><span class="p">(</span><span class="s1">'YII_DEBUG'</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nb">defined</span><span class="p">(</span><span class="s1">'YII_ENV'</span><span class="p">)</span> <span class="k">or</span> <span class="nb">define</span><span class="p">(</span><span class="s1">'YII_ENV'</span><span class="p">,</span> <span class="s1">'dev'</span><span class="p">);</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../../vendor/autoload.php'</span><span class="p">;</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../../vendor/yiisoft/yii2/Yii.php'</span><span class="p">;</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../../common/config/bootstrap.php'</span><span class="p">;</span> <span class="nv">$config</span> <span class="o">=</span> <span class="nc">yii\helpers\ArrayHelper</span><span class="o">::</span><span class="nf">merge</span><span class="p">(</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../../common/config/main.php'</span><span class="p">,</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../../common/config/main-local.php'</span><span class="p">,</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../config/main.php'</span><span class="p">,</span> <span class="k">require</span> <span class="k">__DIR__</span> <span class="mf">.</span> <span class="s1">'/../config/main-local.php'</span> <span class="p">);</span> <span class="p">(</span><span class="k">new</span> <span class="nc">yii\web\Application</span><span class="p">(</span><span class="nv">$config</span><span class="p">))</span><span class="o">-&gt;</span><span class="nf">run</span><span class="p">();</span> </code></pre> </div> <p>This bootstraps Yii and loads the shared <code>common</code> config plus API-specific configuration.</p> <h2> Creating <code>api/config/main.php</code> </h2> <p>Create the main API config file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="s1">'app-api'</span><span class="p">,</span> <span class="s1">'basePath'</span> <span class="o">=&gt;</span> <span class="nb">dirname</span><span class="p">(</span><span class="k">__DIR__</span><span class="p">),</span> <span class="s1">'controllerNamespace'</span> <span class="o">=&gt;</span> <span class="s1">'api\controllers'</span><span class="p">,</span> <span class="s1">'components'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'request'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'csrfParam'</span> <span class="o">=&gt;</span> <span class="s1">'_csrf-api'</span><span class="p">,</span> <span class="s1">'parsers'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'application/json'</span> <span class="o">=&gt;</span> <span class="nc">yii\web\JsonParser</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="s1">'response'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'format'</span> <span class="o">=&gt;</span> <span class="nc">yii\web\Response</span><span class="o">::</span><span class="no">FORMAT_JSON</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'urlManager'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'enablePrettyUrl'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'showScriptName'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'rules'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'GET /'</span> <span class="o">=&gt;</span> <span class="s1">'site/index'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">],</span> <span class="p">];</span> </code></pre> </div> <p>The important parts are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'parsers'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'application/json'</span> <span class="o">=&gt;</span> <span class="nc">yii\web\JsonParser</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <p>This allows Yii2 to read JSON request bodies.</p> <p>And:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'response'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'format'</span> <span class="o">=&gt;</span> <span class="nc">yii\web\Response</span><span class="o">::</span><span class="no">FORMAT_JSON</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <p>This makes API responses return JSON by default.</p> <h2> Creating <code>api/config/main-local.php</code> </h2> <p>Create a local config file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'components'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'request'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'cookieValidationKey'</span> <span class="o">=&gt;</span> <span class="s1">'generate-a-random-secret-key-here'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">];</span> </code></pre> </div> <p>Use a real random string for <code>cookieValidationKey</code>.</p> <h2> Creating <code>api/config/params.php</code> </h2> <p>Create an empty params file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">return</span> <span class="p">[];</span> </code></pre> </div> <h2> Adding Autoloading </h2> <p>If your project does not already autoload the <code>api</code> namespace, add it to <code>composer.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"autoload"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"psr-4"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"api\\"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer dump-autoload </code></pre> </div> <h2> Creating a Test Controller </h2> <p>Create a simple controller to confirm the API app works.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">api\controllers</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">yii\rest\Controller</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">SiteController</span> <span class="kd">extends</span> <span class="nc">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">actionIndex</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'ok'</span><span class="p">,</span> <span class="s1">'app'</span> <span class="o">=&gt;</span> <span class="s1">'api'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With this URL rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'rules'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'GET /'</span> <span class="o">=&gt;</span> <span class="s1">'site/index'</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <p>You should be able to open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://api.yourdomain.com/ </code></pre> </div> <p>or locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:8080/ </code></pre> </div> <p>and see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ok"</span><span class="p">,</span><span class="w"> </span><span class="nl">"app"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Where Do URL Rules Go? </h2> <p>URL rules are added inside the <code>urlManager</code> component in <code>api/config/main.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'components'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'urlManager'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'enablePrettyUrl'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'showScriptName'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'rules'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'GET /'</span> <span class="o">=&gt;</span> <span class="s1">'site/index'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>The <code>rules</code> array belongs inside:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="n">components</span><span class="mf">.</span><span class="n">urlManager</span> </code></pre> </div> <p>not at the top level of the config.</p> <h2> Do You Need to Add Every API Endpoint Manually? </h2> <p>No. Yii2 REST URL rules can generate standard REST endpoints automatically.</p> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">yii\rest\UrlRule</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'controller'</span> <span class="o">=&gt;</span> <span class="s1">'user'</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>generates standard REST routes like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /users GET /users/123 POST /users PUT /users/123 PATCH /users/123 DELETE /users/123 </code></pre> </div> <p>Yii2 pluralizes REST controller names by default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user -&gt; /users product -&gt; /products order -&gt; /orders </code></pre> </div> <p>For multiple controllers, you can group them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">yii\rest\UrlRule</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'controller'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'user'</span><span class="p">,</span> <span class="s1">'product'</span><span class="p">,</span> <span class="s1">'order'</span><span class="p">,</span> <span class="s1">'payment'</span><span class="p">,</span> <span class="s1">'notification'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>This gives each controller its standard REST URLs.</p> <h2> Adding Custom API Actions </h2> <p>For non-standard endpoints, use <code>extraPatterns</code>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">yii\rest\UrlRule</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'controller'</span> <span class="o">=&gt;</span> <span class="s1">'auth'</span><span class="p">,</span> <span class="s1">'extraPatterns'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'POST login'</span> <span class="o">=&gt;</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'POST logout'</span> <span class="o">=&gt;</span> <span class="s1">'logout'</span><span class="p">,</span> <span class="s1">'POST refresh-token'</span> <span class="o">=&gt;</span> <span class="s1">'refresh-token'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>This creates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /auth/login POST /auth/logout POST /auth/refresh-token </code></pre> </div> <p>So even with many endpoints, you usually do not list all of them manually. You define REST controllers and add only custom routes where needed.</p> <h2> Complete URLs </h2> <p>The complete URL depends on your API base URL.</p> <p>If your API is hosted at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://api.yourdomain.com </code></pre> </div> <p>then the routes become:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET https://api.yourdomain.com/users GET https://api.yourdomain.com/users/123 POST https://api.yourdomain.com/users PUT https://api.yourdomain.com/users/123 PATCH https://api.yourdomain.com/users/123 DELETE https://api.yourdomain.com/users/123 </code></pre> </div> <p>For custom auth routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST https://api.yourdomain.com/auth/login POST https://api.yourdomain.com/auth/logout POST https://api.yourdomain.com/auth/refresh-token </code></pre> </div> <p>If running locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:8080/users http://localhost:8080/auth/login </code></pre> </div> <p>If pretty URLs are not configured correctly, URLs may include <code>index.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:8080/index.php/users http://localhost:8080/index.php/auth/login </code></pre> </div> <h2> Adding API Versioning </h2> <p>For versioned API URLs like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://api.yourdomain.com/v1/users https://api.yourdomain.com/v2/users </code></pre> </div> <p>the recommended Yii2 approach is to use modules.</p> <p>Create this structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/ modules/ v1/ Module.php controllers/ UserController.php v2/ Module.php controllers/ UserController.php </code></pre> </div> <h2> Creating the V1 Module </h2> <p>Create <code>api/modules/v1/Module.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">api\modules\v1</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">Module</span> <span class="kd">extends</span> <span class="nc">\yii\base\Module</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$controllerNamespace</span> <span class="o">=</span> <span class="s1">'api\modules\v1\controllers'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Creating the V2 Module </h2> <p>Create <code>api/modules/v2/Module.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">api\modules\v2</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">Module</span> <span class="kd">extends</span> <span class="nc">\yii\base\Module</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$controllerNamespace</span> <span class="o">=</span> <span class="s1">'api\modules\v2\controllers'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Registering API Modules </h2> <p>Register the modules in <code>api/config/main.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'modules'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'v1'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">api\modules\v1\Module</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'v2'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">api\modules\v2\Module</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>Your config now includes the versioned modules.</p> <h2> Adding Versioned URL Rules </h2> <p>Inside <code>components.urlManager.rules</code>, add versioned REST rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'rules'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">yii\rest\UrlRule</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'controller'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'v1/user'</span><span class="p">,</span> <span class="s1">'v1/product'</span><span class="p">,</span> <span class="s1">'v1/order'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">yii\rest\UrlRule</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'controller'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'v2/user'</span><span class="p">,</span> <span class="s1">'v2/product'</span><span class="p">,</span> <span class="s1">'v2/order'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>Now Yii2 maps these controllers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/modules/v1/controllers/UserController.php api/modules/v2/controllers/UserController.php </code></pre> </div> <p>to these URLs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/v1/users /v2/users </code></pre> </div> <h2> Creating a Versioned Controller </h2> <p>Create <code>api/modules/v1/controllers/UserController.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">api\modules\v1\controllers</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">yii\rest\ActiveController</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="kd">extends</span> <span class="nc">ActiveController</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$modelClass</span> <span class="o">=</span> <span class="s1">'common\models\User'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Now the following endpoints are available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /v1/users GET /v1/users/123 POST /v1/users PUT /v1/users/123 PATCH /v1/users/123 DELETE /v1/users/123 </code></pre> </div> <p>For v2, create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">api\modules\v2\controllers</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">yii\rest\ActiveController</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="kd">extends</span> <span class="nc">ActiveController</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$modelClass</span> <span class="o">=</span> <span class="s1">'common\models\User'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Now v2 endpoints are available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /v2/users GET /v2/users/123 POST /v2/users PUT /v2/users/123 PATCH /v2/users/123 DELETE /v2/users/123 </code></pre> </div> <h2> Adding Versioned Auth Endpoints </h2> <p>For an auth controller inside v1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">yii\rest\UrlRule</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'controller'</span> <span class="o">=&gt;</span> <span class="s1">'v1/auth'</span><span class="p">,</span> <span class="s1">'extraPatterns'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'POST login'</span> <span class="o">=&gt;</span> <span class="s1">'login'</span><span class="p">,</span> <span class="s1">'POST logout'</span> <span class="o">=&gt;</span> <span class="s1">'logout'</span><span class="p">,</span> <span class="s1">'POST refresh-token'</span> <span class="o">=&gt;</span> <span class="s1">'refresh-token'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>This creates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /v1/auth/login POST /v1/auth/logout POST /v1/auth/refresh-token </code></pre> </div> <p>Your controller would live at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/modules/v1/controllers/AuthController.php </code></pre> </div> <h2> Adding Bearer Token Authentication </h2> <p>Yii2 supports bearer token authentication with <code>yii\filters\auth\HttpBearerAuth</code>.</p> <p>In a REST controller, add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">yii\filters\auth\HttpBearerAuth</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">behaviors</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$behaviors</span> <span class="o">=</span> <span class="k">parent</span><span class="o">::</span><span class="nf">behaviors</span><span class="p">();</span> <span class="nv">$behaviors</span><span class="p">[</span><span class="s1">'authenticator'</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">HttpBearerAuth</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">];</span> <span class="k">return</span> <span class="nv">$behaviors</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">api\modules\v1\controllers</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">yii\rest\ActiveController</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">yii\filters\auth\HttpBearerAuth</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="kd">extends</span> <span class="nc">ActiveController</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$modelClass</span> <span class="o">=</span> <span class="s1">'common\models\User'</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">behaviors</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$behaviors</span> <span class="o">=</span> <span class="k">parent</span><span class="o">::</span><span class="nf">behaviors</span><span class="p">();</span> <span class="nv">$behaviors</span><span class="p">[</span><span class="s1">'authenticator'</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'class'</span> <span class="o">=&gt;</span> <span class="nc">HttpBearerAuth</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">];</span> <span class="k">return</span> <span class="nv">$behaviors</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Requests must include an Authorization header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: Bearer your-token-here </span></code></pre> </div> <h2> Finding Users by Access Token </h2> <p>Your <code>common\models\User</code> model should implement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">findIdentityByAccessToken</span><span class="p">(</span><span class="nv">$token</span><span class="p">,</span> <span class="nv">$type</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">static</span><span class="o">::</span><span class="nf">findOne</span><span class="p">([</span><span class="s1">'access_token'</span> <span class="o">=&gt;</span> <span class="nv">$token</span><span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>For this to work, your <code>user</code> table needs an <code>access_token</code> column, or you need a separate token table.</p> <p>For production APIs, avoid storing permanent plain tokens. A better approach is usually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>short-lived access tokens refresh tokens hashed token storage JWT OAuth2 </code></pre> </div> <p>The simple <code>access_token</code> example is useful for learning, but production authentication should be designed more carefully.</p> <h2> Recommended Final Structure </h2> <p>A versioned API app may look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/ config/ main.php main-local.php params.php modules/ v1/ Module.php controllers/ AuthController.php UserController.php ProductController.php v2/ Module.php controllers/ AuthController.php UserController.php ProductController.php runtime/ web/ index.php backend/ common/ console/ frontend/ </code></pre> </div> <h2> Final Notes </h2> <p>In Yii2 Advanced, an API is simply another application beside <code>frontend</code> and <code>backend</code>. You create the <code>api</code> folder manually, give it its own config and web entry point, then use REST URL rules and modules to keep the code organized.</p> <p>The most common pattern is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>api/modules/v1/controllers/UserController.php -&gt; /v1/users api/modules/v2/controllers/UserController.php -&gt; /v2/users </code></pre> </div> <p>This keeps your API versions cleanly separated in both the URL and the codebase.</p> php yii2 restapi