Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

FrazeColder's avatar

Best way to implement an API for an SPA and mobile app

Hey there, I have created a project and right now, I am a bit lost. Therefore, I am seeking for help here.

Currently, I have implemented a stateless API with Laravel Sanctum. Why is my API stateless? Because I want to make use of my API with an SPA as well as a native mobile App for iOS and Android. My project/API is capable of very standardized CRUD functionalities such as registering, login, submitting posts, commenting on posts, liking and disliking posts etc...

However, I am starting to ask myself if that was the right way. Because the reason for this is the CORS protection and the XSS Injection problem.

I do have a few questions which would help me to understand my problem:

  1. Do I need CSRF/CORS protection for my API?
  2. If CSRF/CORS protection is necessary, can I implement that into my stateless Laravel Sanctum API?
  3. Can I also make use of a stateful API when implementing an API for both, SPA and native mobile Apps, and which are the advantages of a stateful API?
  4. The token which is being issued by Laravel Sanctum does not expire by default. Are there any security concerns about an infinite valid token?
  5. Would it be a better idea to use Laravel Passport and implement an OAuth 2 authentication to be used by an SPA and native mobile apps?

Kind regards and thank you!

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58
  1. Yes, CSRF/CORS protection is necessary for your API to prevent unauthorized access and protect against cross-site scripting attacks.
  2. You can implement CSRF/CORS protection in your stateless Laravel Sanctum API by adding the appropriate middleware to your routes. For example, you can use the VerifyCsrfToken middleware to protect against CSRF attacks and the Cors middleware to enable CORS.
// Example route with CSRF and CORS protection
Route::middleware(['cors', 'csrf'])->post('/example', function () {
    // Handle request
});
  1. You can use a stateful API when implementing an API for both SPA and native mobile apps, but it may not be the best approach. A stateful API requires the client to maintain a session with the server, which can be difficult to manage in a distributed environment. A stateless API, on the other hand, is easier to scale and can be used by any client that can authenticate with a token.
  2. There are security concerns with an infinite valid token, as it can be used by an attacker to gain unauthorized access to your API. To mitigate this risk, you can set an expiration time for your tokens using the withTTL method in Laravel Sanctum.
// Example token with a 1-hour expiration time
$token = $user->createToken('token-name')->withTTL(60 * 60)->plainTextToken;
  1. Laravel Passport is a good option if you need to implement OAuth 2 authentication for your API. OAuth 2 is a widely-used standard for authentication and authorization, and Laravel Passport provides a simple way to implement it in your Laravel application. However, it may be overkill if you only need to authenticate users for your SPA and mobile apps. Laravel Sanctum provides a simpler way to authenticate users with tokens, which may be sufficient for your needs.
FrazeColder's avatar

@LaryAI Thank you for your answer.

  1. How do I issue the CSRF/CORS token?
  2. How would I handle that on the client side, so the user has not to login again every hour?

Please or to participate in this conversation.