Implementing API Authentication with Guardian in Phoenix

Tags: #<Tag:0x00007f113ecf0e08> #<Tag:0x00007f113ecf0c00> #<Tag:0x00007f113ecf0a48>


Hi! I recently finished adding authentication to my Phoenix API, so I wanted to share what I learned.

I haven’t created authentication for an API only application before, so not using sessions/cookies was a little confusing at first. I hope this post can help others who haven’t writter an API before!



@mhanberg, thank you very much. I want to ask, for how long is the token valid? How to configure that setting and does the token refresh / extends its validity the user actively is using it (i.e. does it expire only if it had been idle for some time)


The documentation for the configuration you’re looking for is here These options go in the configuration in config.ex

The default TTL (time to live) for the JWT is 4 weeks and I believe you need to manually refresh the token. My post doesn’t detail that aspect :sweat_smile:


Also have a look at for a way to revoke tokens issued.


Would you elaborate this piece of code, how to handle email errors here (email not found or wrong password), i.e. how to return 401 if email not found or credentials are wrong, here:

def sign_in(conn, params) do
  # Find the user in the database based on the credentials sent with the request
  with %User{} = user <- Accounts.find( do
    # Attempt to authenticate the user
    with {:ok, token, _claims} <- Accounts.authenticate(%{user: user, password: login_cred.password}) do
      # Render the token
      render conn, "token.json", token: token


I’m on a business trip right now, I’ll reply to this when I get some free
time. But in the meantime, look into the Phoenix Fallback Controller

Relevant blog ->


I have managed to put this code together:

defmodule AcrosapWeb.FallbackController do
  @moduledoc """
  Translates controller action results into valid `Plug.Conn` responses.
  See `Phoenix.Controller.action_fallback/1` for more details.

  use AcrosapWeb, :controller

  def call(conn, {:error, %Ecto.Changeset{} = changeset}) do
    |> put_status(:unprocessable_entity)
    |> render(AcrosapWeb.ChangesetView, "error.json", changeset: changeset)

  def call(conn, {:error, :not_found}) do
    |> put_status(:not_found)
    |> render(AcrosapWeb.ErrorView, :"404")

  def call(conn, {:error, :unauthorized}) do
    |> put_status(:forbidden)
    |> json(%{status: "forbidden"})


it is working except at the situation that the user object cannot be found by his email address, I get this error:

(FunctionClauseError) no function clause matching in


I would take a look at the return value of the call you’re making in the with expression.


To get rid of this error message, You can add something like this

  def call(conn, args) do
    IO.inspect args
    |> put_status(:whatever)
    |> json(%{status: "whatever"})


Thanks @kokolegorille, based on your idea I have found that the code block needed to handle wrong email address (non existent in DB) is:

def call(conn, :nil) do
  |> put_status(:unauthorized)
  |> json(%{status: "unauthorized"})