Sending JSON API like 401 Unauthorized error with Devise

If you are using Ruby on Rails together with Devise gem you might be wondering how to handle unauthorized error responces in your JSON API.

JSON API prescribes that to send errors you need a root “errors” array of errors with as least a status code (as string) and a title (as string). Essentially that means to turn our error message issued by Devise into the following:


The problem is that Devise does not really throw an exception that we could rescue_from from our controller. What we need is to create a custom equivalent of Devise::FailureApp:

# Our custom failure response app since we want to return JSON:API like
# messages for some APIs.
module MyApp
  class FailureApp < Devise::FailureApp
    def respond
      if request.controller_class.to_s.start_with? 'API::'

    def json_api_error_response
      self.status        = 401
      self.content_type  = 'application/json'
      self.response_body = { errors: [{ status: '401', title: i18n_message }]}.to_json

In the respond method we can handle special cases by quering information from the request object. In our example we will respond differently in case where the controller is one of our API controllers. (This is because basing it on being a JSON requests would backfire for our AJAX endpoints. Feel free to adjust this to your needs.)

Once we have that in place we just need to tell Devise to actually use it which can be done within Devise initializer:

Devise.setup do |config|
  config.warden do |manager|
     manager.failure_app = MyApp::FailureApp

And that’s it!


I wrote a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects.

More →