Gaurav Varma

Token-based workflows like password resets, email confirmations, and invitation flows are everywhere in Rails apps. Rails 7.1 introduces a built-in way to handle them securely and declaratively with generates_token_for.

This eliminates boilerplate and external gems, making token handling feel like native Rails magic.

What is `generates_token_for`?

It's a declarative API that generates signed, tamper-proof tokens scoped to your models and purposes. You can also add expiration and validations.

Under the hood, it uses ActiveSupport::MessageVerifier.

Basic usage

1class User < ApplicationRecord
2  generates_token_for :password_reset, expires_in: 15.minutes
3end

Generate a token:

1token = user.generate_token_for(:password_reset)

Find the user from token:

1user = User.find_by_token_for(:password_reset, token)

Raise an error instead of returning nil if invalid:

1user = User.find_by_token_for!(:password_reset, token)

Token lifecycle and block validation

You can optionally pass a block to generates_token_for that defines what makes the token valid. The return value is stored in the token and checked during lookup.

1class User < ApplicationRecord
2  generates_token_for :name_confirmation, expires_in: 24.hours do
3    name
4  end
5end

This means if the user’s name changes, the token becomes invalid—even before expiry.

1user = User.create!(name: "John Doe")
2token = user.generate_token_for(:name_confirmation)
3
4User.find_by_token_for(:name_confirmation, token) # => user
5
6user.update!(name: "Jane Doe")
7User.find_by_token_for(:name_confirmation, token) # => nil

If no block is given, the token only expires after the expires_in duration.

Real-world examples

Password Reset

1class User < ApplicationRecord
2  generates_token_for :password_reset, expires_in: 30.minutes
3end
4
5url = edit_password_url(token: user.generate_token_for(:password_reset))

Invite Token

1class Invitation < ApplicationRecord
2  generates_token_for :invite, expires_in: 2.days
3end
4
5url = accept_invitation_url(token: invitation.generate_token_for(:invite))

Auth Token (no expiry)

1class User < ApplicationRecord
2  generates_token_for :auth_token
3end
4
5token = user.generate_token_for(:auth_token)

This token won’t expire and remains valid even if attributes change.

Bonus: Expiry vs Block

1Configuration                    | Expires?        | Invalidated on update?
2---------------------------------|------------------|-------------------------
3`expires_in` only                | ✅ Yes (time)     | ❌ No
4Block only                       | ❌ No             | ✅ Yes
5Both `expires_in` and block      | ✅ Yes (time)     | ✅ Yes
6None                             | ❌ No             | ❌ No

References

Summary

generates_token_for is a long-awaited addition that simplifies token-based workflows in Rails apps. It’s clean, secure, flexible, and comes with zero setup. Whether you're building email confirmations, one-time links, or long-lived auth tokens—this API has you covered.

Rails 7.1 adds generates_token_for for easy token generation

What is generates_token_for?