By default , when you log in through a token, Devise will store the user in a session, as in a database authentication strategy.
You can disable this by setting stateless_token to true in the initializer:
Devise.setup do |config| config.stateless_token = true end
Thus, a token must be provided with every request.
As I understand it, token authentication was designed to work together with database authentication. devise_for will only add session routes if your database_authenticatable model. This seems like a little oversight of the Devise part, but in my opinion, the access tokens that leave the user in the session do not make much sense to me.
In either case, try manually defining routes for development sessions.
Adapted from Developing Routing Assistants (Unverified Code):
as :user do # User scope resource :session, :controller => 'devise/sessions' do # new_user_session | GET /users/sign_in => devise/sessions#new get :new, :path => 'sign_in', :as => "new" # user_session | POST /users/sign_in => devise/sessions#create post :create, :path => 'sign_in' # destroy_user_session | GET /users/sign_out => devise/sessions#destroy get :destroy, :path => 'sign_out', :as => "destroy" end end
In any case, the documentation for the devise_for helper indicates which routes are created and what they point to.