…vue: If you're not familiar with Vue, don't worry. We will do some light coding in it, but I'm mostly using it as an example to make some API requests. Down near the bottom, on submit, we make a POST request to …

…>markAsTokenAuthenticated() and pass $token->getScopes(): Done! Let's take it for a test drive! Back over on Swagger, it already has our API token... so we can just re-execute the request. Cool: we see the Authorization header. Did it authenticate with the correct scopes…

…site, a single page application built in Hipster.js or even in a mobile app. In all those situations, the user of your API will be sending an email & password. By the way, if you do not have this situation, that doesn't change much…

…you can't put binary data in JSON: it's just not supported. API's work around this fact by expecting the client to base64 encode the data. Search for "base64 encode online" to find a site that can base64 encode some stuff for us…

…t break anything technically... but it's weird. Our endpoint isn't setup to be an API endpoint - it's 100% traditional: we're redirecting on error and success. But now that we are using this as an API endpoint, let's fix that! And..…

…These are Internet-wide standards like self. So if you use these names for your links, your API will be consistent with a lot of other APIs. The other important thing to notice in this example is that pagination is done with query parameters. Technically…

…second request below for /login. Let's back up. First, for some reason, authentication is failing for the API request. We'll get to that in a minute. Second, fetch() requests will normally show up under the XHR network filter. We'll see that later…

Coming soon...

…possesses" this token - can use it to authenticate, without needing to provide any other types of authentication, like a master key or a password. Most API tokens, also known as "access tokens" are "bearer" tokens. And this is a standard way of attaching them to…

…instantly make authenticated AJAX requests from JavaScript, because those requests send the session cookie. So, if the only thing that needs to use your API is your own JavaScript, just use LoginFormAuthenticator. Oh, and if you need to be fancier with your login form, sure…

When the request sends us a valid API token, our authenticator code is working! At least all the way to checkCredentials(). But before we finish that, I want to see what happens if a client sends us a bad key. So let's see... the…