Extracting Tokens from Headers in Middleware using Vapor

Vapor is a popular server-side Swift web framework that allows you to build web applications using Swift. It provides a wide range of features, including routing, templating, authentication, and more.

Middleware plays a crucial role in web application development, allowing you to intercept requests and responses to add additional functionality. In this blog post, we will explore how to extract tokens from headers in Vapor, a popular server-side Swift web framework. We will provide detailed explanations, along with code snippets and examples, to guide you through the process.


Before diving into the implementation, make sure you have the following prerequisites installed on your system:

  • Swift: Vapor is built using the Swift programming language, so ensure you have a compatible Swift version installed.
  • Vapor: Install Vapor from the official website or using Homebrew, or using any other method of your choice.

Let's begin by setting up a new Vapor project and creating the necessary middleware.

Step 1: Setting Up a Vapor Project

To create a new Vapor project, open your terminal and run the following commands:

mkdir VaporProject
cd VaporProject
vapor new MyProject -n
cd MyProject

Step 2: Creating the Middleware

Inside the Sources/App/Middleware directory, create a new file named TokenMiddleware.swift with the following code:

import Vapor

final class TokenMiddleware: Middleware {
    func respond(to request: Request, chainingTo next: Responder) -> EventLoopFuture<Response> {
        // Extract token from the request's headers
        guard let token = request.headers.first(name: "Authorization") else {
            let errorResponse = Response(status: .unauthorized)
            errorResponse.body = "Missing token in headers"
            return request.eventLoop.makeFailedFuture(Abort.unauthorized)

        // Perform token validation or processing logic here
        // ...

        // Continue the request chain
        return next.respond(to: request)

Step 3: Registering the Middleware

Open the Sources/App/configure.swift file and add the following code inside the configure(_:) method:


Step 4: Testing the Middleware

To test the middleware, we will create a sample route that requires token authentication. Open the Sources/App/routes.swift file and replace the existing code with the following:

import Vapor

func routes(_ app: Application) throws {
    app.get("protected") { req in
        return "This is a protected route"

Step 5: Starting the Server

Now that we have set up the middleware and a protected route, let's start the Vapor server. Open your terminal and run the following command:

vapor run

Congratulations! Your Vapor server is now running and ready to accept requests.

Testing the Middleware:

To test the token extraction middleware, we can make a request to the protected route by including the token in the request headers. You can use tools like cURL or Postman for this purpose.

Example cURL Request:

curl -X GET http://localhost:8080/protected -H "Authorization: Bearer YOUR_TOKEN_HERE"

Example Postman Request:

Set the request URL to http://localhost:8080/protected.

Go to the "Headers" tab and add a new header with the key "Authorization" and the value "Bearer YOUR_TOKEN_HERE".

Click the "Send" button to make the request.

If the token extraction is successful, you should receive a response with the message "This is a protected route".

If the token is missing or invalid, you will receive a response with an "Unauthorized" status and an appropriate error message.


In this post, we explored how to extract tokens from headers in Vapor middleware.

By following the steps outlined above, you can implement token-based authentication and perform necessary validation or processing logic. Middleware provides a powerful mechanism to intercept requests and add additional functionality to your Vapor applications, making it an essential tool for building secure and robust web applications.

Remember to consider security best practices, such as token encryption and revocation, when implementing authentication systems in production environments.

Thank you for reading this far.

Share on Twitter