auth-server-laravel overview

vendidit/auth-server-laravel is a thin Laravel adapter over auth-server-php. Wraps it in a custom Guard that verifies JWTs locally, role/permission/app middleware, a VenAuth Facade, Blade directives, and a HasVenAuth trait you drop onto your existing User model.

Source	Vendidit/auth-server-laravel
Stack	PHP 8.1+ · Laravel 11+ · auto-discovered service provider
Wraps	auth-server-php
Mirror	auth-server-nest

📦

Every consumer needs to register an app first. A system_admin creates an apps row, the consumer sets VENDIDIT_APP_CODE + JWT_ACCESS_SECRET, and tokens issued to that app_code carry the right scope. See the full flow in App registration.

The 80% usage

composer require vendidit/auth-server-laravel
php artisan vendor:publish --tag=vauth-config

AUTH_SERVER_URL=https://auth.vendidit.com
JWT_ACCESS_SECRET=<shared with auth-server>
AUTH_APP_CODE=marketplace-buyer

config/auth.php

'guards' => ['web' => ['driver' => 'vendidit-jwt', 'provider' => 'users']],
'providers' => [
    'users' => ['driver' => 'vendidit', 'model' => \App\Models\User::class],
],

app/Models/User.php

use Vendidit\AuthServer\Laravel\Concerns\HasVenAuth;

class User extends Authenticatable {
    use HasVenAuth;
}

routes/web.php

Route::middleware('vauth')->group(function () {
    Route::get('/me', fn() => auth()->user());

    Route::middleware('vauth.role:org_admin,system_admin')
        ->get('/admin/users', AdminUsersController::class);

    Route::middleware('vauth.permission:listings:create')
        ->post('/listings', CreateListingController::class);
});

Middleware aliases

Alias	Purpose
vauth	Validate the bearer; populate auth()->user().
vauth.role:r1,r2	Require any of the listed roles.
vauth.permission:p1,p2	Require any of the listed permissions.
vauth.app:code1,code2	Require the token’s app_id claim to match.
vauth.org:slug-or-id	Require the token’s org_id to match.
vauth.no_imp	Refuse impersonated tokens — for sensitive routes.

The facade

use Vendidit\AuthServer\Laravel\Facades\VenAuth;

$user = VenAuth::user();
$canEdit = VenAuth::hasPermission('listings:edit');
$isInOrg = VenAuth::hasOrg($orgId);
$isImpersonating = VenAuth::isImpersonating();

Blade directives

@vauth
    <a href="/profile">Profile</a>
@endvauth

@vrole('org_admin')
    <a href="/admin">Admin</a>
@endvrole

@vperm('listings:create')
    <button>New listing</button>
@endvperm

@vapp('marketplace-buyer')
    {{-- buyer-only UI --}}
@endvapp

@vimpersonating
    <div class="banner">You are impersonating {{ auth()->user()->email }}</div>
@endvimpersonating

The trait

HasVenAuth adds helpers to your User model so existing code (Eloquent relations, gates, policies) keeps working:

$user->hasVenRole('org_admin');
$user->hasVenPermission('listings:edit');
$user->venOrgId();
$user->venAppCode();

Two integration patterns

• Pattern A — stateless. No local users table. auth()->user() returns the principal directly. Use when the Laravel app is purely a token-validating API server.
• Pattern B — composable. Local users table referenced by vendidit_id. The guard hydrates the model on each request. Use when you have local user-scoped data (preferences, profile, etc.).

config/vauth.php controls the pattern.

Related pages

• How it works — guard wiring, user provider, error mapping.
• Quickstart.
• Class reference — auto-generated.
• auth-server-php — the core this wraps.