Trongate Way Docs

Database Setup

The REST API uses the same countries table that we created in the Basic CRUD chapter. If you followed that chapter, the table already exists with its 60 sample records and you can skip ahead.

For reference, the table structure is:

SQL
CREATE TABLE IF NOT EXISTS `countries` (
    `id` int(11) NOT NULL AUTO_INCREMENT,
    `country_title` varchar(100) NOT NULL,
    `country_code` varchar(2) NOT NULL,
    PRIMARY KEY (`id`),
    UNIQUE KEY `country_code` (`country_code`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

The countries.sql file in the repository includes this table plus 60 sample country records.

Users and Tokens

The API uses Trongate's built-in token system for authentication. This system stores tokens in the trongate_tokens database table, which is part of the standard Trongate installation. Each token is a 32-character hexadecimal string linked to a specific user.

When a user logs in via the Trongate login system, a token is generated automatically and stored in the session (and optionally as a cookie). For the REST API, the same token can be sent as an HTTP header: 

Trongatetoken: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

The Trongate framework checks for tokens in this order:

  1. HTTP headers - Trongatetoken header
  2. Cookies - trongatetoken cookie
  3. Session - $_SESSION['trongatetoken']

This means you can test the API from a browser if you are already logged in (the token is in your session), or from a command-line tool like curl by passing the header explicitly.

Getting a Token

To obtain a token, log in to your Trongate application as an administrator. The token will be stored in your session automatically. You can also generate tokens programmatically using the Trongate_tokens module:

PHP
$token_data = [
    'user_id' => 1,
    'expiry_date' => strtotime('+30 days'),
    'set_cookie' => false
];

$new_token = $this->trongate_tokens->generate_token($token_data);

For the purposes of this chapter, we will assume you have an active admin session and the framework will find your token automatically. Later, when we discuss authentication in depth, we will look at passing tokens explicitly via headers.

Your Security, Your Rules. Trongate provides the token system, but it is up to you to decide which endpoints require authentication and what access rules to enforce. Some APIs expose public read endpoints while locking down writes; others require tokens on every request. The framework gives you the tools; you define the policy.

For full details, see Understanding Trongate's Token System in the framework documentation.

We're continually improving the Trongate documentation. If anything is incorrect, unclear, incomplete, or could be better, we'd genuinely appreciate your input.

Share your thoughts in the Documentation Feedback.

Leave Feedback About This Page