REST API Login - Very frustrating :(

Hi Guys,

I’m trying to create a login API for a long time already and I’m not succeeding.

I’m very frustrated :(

This is my scenario: I’m converting an app developed in Yii1 to Yii 2.x and in Yii1 my API’s works great, I had a method in my ApiController.php called actionLogin and it was beautiful.

Anyways, now in Yii 2 things got very complicated for me. I’m using as my advanced application which already has the API implemented under backend > modules > api > v1 anyways, I added my controllers there and I get the results working. So far so good but now I want that only users that is authenticated to be able to call my API and see the results (this API will be used in a android mobile app).

I followed all the tutorials that you can find online but none of them worked for me. I’m sure that I am missing something because there is no way possible that I can’t get this working. I’m really desperate. Please help me.

Does anyone has an instruction step by step of how to do it based on ?

I never tried the yii2-starter-kit but this tutorial about oauth 2.0 was useful to me:

I think the key is to understand how the USER class works. I ended up building a separate module called auth (with its own USER class) to deliver access and refresh tokens and an api module to deliver the resources with its own USER class. you can check it here if needed :


Thanks for that link but I did that before and didn’t work.

I get the message login required and than I’m using firefox RESTApi addon to send my login information but it’s not working. Am I sending the wrong thing? Because the tutorial doesn’t say what is the link to do the login action and what’s the paramenters.

Using Yii 1 I was doing a simple

REST API Login works same as Normal Application.

Follow the steps:

  1. In Controller you have to use QueryParam authentication for managing guest and user roles.(Refer QueryParam in Yii2 API guide)

  2. On Success login , you have return the auth_key to view and save it in browser session.

  3. On every request , you have to send your auth_key variable in ajax request like ("your_auth_key")

  4. QueryParam will return 401 credential , if guest user trying to access user role URLS.

I was trying with tis for while with no success … and I ended with this:


$behaviors['authenticator'] = [

            'class' => CompositeAuth::className(),

            //'except' => ['Test','index'],

            'authMethods' => [


                    'class' => HttpBasicAuth::className(), 

                    'auth' => function($username, $password){

                        return ApiUser::validateUser($username, $password);                        





user model

public static function validateUser($username, $psw){

        $user = self::findByUsername($username);

        if(!$username or !$psw or !$user)

            throw new UserException( "There is an error!" );

        if ($user->validatePassword($psw)) 

            return $user;


            throw new UserException( "Wrong username or password!" );


with PostMan works fine, but I didnot test it with application.