DEV Community

Cover image for Token Vault – Securely Store & Manage API Tokens in Laravel
Nasrul Hazim Bin Mohamad
Nasrul Hazim Bin Mohamad

Posted on

Token Vault – Securely Store & Manage API Tokens in Laravel

#laravel #vault

Managing API tokens across multiple providers can get messy — especially when it comes to securing them and handling expirations.

That’s why I built Token Vault — a Laravel package designed to securely store, encrypt, and manage all types of API tokens in a consistent and standardised way.

🧰 What Is Token Vault?

Token Vault is a Laravel package that provides a clean, encrypted, polymorphic way to store API tokens like:

  • GitHub personal access tokens
  • GitLab tokens
  • Access keys for any third-party API

Everything is encrypted, scoped to a model (e.g. User, Project, etc).

🧩 Features

✅ Encrypted token storage (AES-256 encryption)
✅ Polymorphic support – attach tokens to any model
✅ Built-in expiration support
✅ Safe token masking for UI
✅ Enum support for provider names

🚀 Getting Started

Install the package via Composer:

composer require cleaniquecoders/token-vault
Enter fullscreen mode Exit fullscreen mode

Publish the migration:

php artisan vendor:publish --tag="token-vault-migrations"
php artisan migrate
Enter fullscreen mode Exit fullscreen mode

🔧 Usage

1. Use the Trait in Your Model 

use CleaniqueCoders\TokenVault\Traits\InteractsWithTokenVault;

class User extends Authenticatable
{
    use InteractsWithTokenVault;
}
Enter fullscreen mode Exit fullscreen mode

2. Store a Token 

use CleaniqueCoders\TokenVault\Enums\Provider;

$user->tokens()->create([
    'provider' => Provider::GitHub,
    'type' => 'access_token',
    'token' => 'ghp_xxxx', // encrypted automatically
    'meta' => ['label' => 'Deploy token'],
    'expires_at' => now()->addDays(30),
]);
Enter fullscreen mode Exit fullscreen mode

3. Retrieve & Use Tokens 

$token = $user->tokens()->latest()->first();

$plainText = $token->getDecryptedToken(); // use cautiously
$masked = $token->getMaskedToken();       // safe for display
Enter fullscreen mode Exit fullscreen mode

4. Check Expiry & Validation 

$token->isExpired(); // true or false
Enter fullscreen mode Exit fullscreen mode

🔄 Supported Providers

You can define your supported providers using enums via the built-in Provider enum:

use CleaniqueCoders\TokenVault\Enums\Provider;

Provider::GitHub->label();      // "GitHub"
Provider::GitHub->description() // "GitHub API token"
Enter fullscreen mode Exit fullscreen mode

You can also extend this enum to support additional providers as your app evolves.

🧪 Testing With Pest

This package includes Pest support out of the box with factories and migrations, so testing integration is straightforward.

it('stores encrypted token and decrypts correctly', function () {
    $user = User::factory()->create();

    $token = $user->tokens()->create([
        'provider' => Provider::GitHub,
        'type' => 'access_token',
        'token' => 'ghp_test123456',
    ]);

    expect($token->getDecryptedToken())->toBe('ghp_test123456');
});
Enter fullscreen mode Exit fullscreen mode

📦 Ready to Use

The package is live and open source at:

👉 github.com/cleaniquecoders/token-vault

We welcome your feedback, pull requests, or ideas to improve!

💡 Why Token Vault?

In Laravel projects, it’s common to store and manage access tokens, but developers often:

  • Store them unencrypted 😬
  • Hardcode provider types
  • Lack expiry logic
  • Rebuild similar logic repeatedly

Token Vault solves these with a clean API, secure encryption, and standardised token model for any use case.

✨ What’s Next?

We plan to add:

  • 🛠 Storing Webhook and validate it's signature for common providers
  • 🔐 UI component for managing tokens

Give it a try, star the repo, and feel free to open issues or feature requests. We’d love your feedback!

👉 cleaniquecoders/token-vault on GitHub

Photo by rc.xyz NFT gallery on Unsplash

Top comments (0)