Since Symfony 4.0 getCredentials() responsibilities has been split into 2 methods: // BEFORE use Symfony\Component\Security\Guard\AbstractGuardAuthenticator; class TokenAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { if (!$token = $request->headers->get('X-AUTH-TOKEN')) { return null; } return ['token' => $token]; } } // AFTER class TokenAuthenticator extends AbstractGuardAuthenticator { public function supports(Request $request) { return $request->headers->has('X-AUTH-TOKEN'); } public function getCredentials(Request $request) { return ['token' => $request->headers->get('X-AUTH-TOKEN')]; } }