Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi friends. Can you tell me how to know from which server/site I get curl request? The story is something like that: I have API for some data. Users can get that data using query with API key. But in server (API) side I must detect is that valid key for user who send curl request to my API. How to do that? Did I need some more variables like secret key or something and how to do that? API is in Laravel5 and use MySQL database.
Normally an API would be open, meaning you don't care where the request has come from.
What you would do is use token authentication to log a user in for that request. Within your API you would then check whether that user has permission to access the resource etc.
Here is an example of using JWT for API authentication
Yea it's unique but user can use that key in many sites, so I want disable it option.
Maybe it helps, I call curl on this way:
$query['appkey'] = 'some lenght key';
$str = '';
foreach($query as $k => $v)
$str .= $k.'='.$v.'&';
$ch = curl_init();
$url = "http://apiwebsite/api/data?" . $str;
curl_setopt($ch, CURLOPT_URL, $url);
curl_exec($ch);
curl_close($ch);
@stojankukrika Please use http_build_query().......... :P
$data = [
'foo' => 'bar',
'baz' => 'qux',
];
http_build_query($data);
// foo=bar&baz=qux
@bashy sorry to bother but what's the difference between curl and http_build_query? I'm trying to understand it and for what I saw on PHP.net it builds a query for GET requests, when you say "please use http_build_query()" you mean for GET requests?
@erozas That was directed at the code the previous person posted. They did a foreach() to loop through the query string items. That is such a bad way to go about it. Using http_build_query() will put the & and = symbols in for you based on an array of data.
That's not an alternative to cURL, it's for use within cURL. You can do this as well to do a POST.
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
Also if you want to conditionally add the query string on if data is set
$data = [
'foo' => 'bar',
'baz' => 'qux',
];
$url = 'http://someurl.com/api';
if ( ! empty($data))
{
$data = http_build_query($data);
$url = $url . '?' . $data;
}
echo $url; // http://someurl.com/api?foo=bar&baz=qux
Thanks for the answer bashy, after reading a little bit on the documentation and comparing it to stojankukrika's post I understood what you meant.
Thanks for the answer @bashy I make correction on my request. I find "josh-hornby/http" package to make request but I still have a problem: How to know from which server comes to my API request. I need to know that to make user use only one key for one site, not for many sites use one API key.
The English isn't great but from what I understand, you want to the IP or use an API key to verify each request?
You can use an API key (example: MJy4o5ZWl1O5iIt5o5S6p6PXi580ifg3) for users and only allow those keys to make requests?
No. User have API key and it can use ti. In API server, I get his API key and see is that API key correct. But, I didn't want that user use that key for more than one application/website. I want limit user to use one API key to one website/application. Every application have one key. Can I do it and how to do it? For now I have generator API keys, API key to detect which user send request but didn't know is that requests from one website or from more than one website. I hope that is more clear :)
You'll want to use an IP based check for that. There's no other way to verify where the request came from apart from IP and a custom API key.
So, I must check IP of user who send request. Ok. But then I have another problem... how to enable user to use this in developing, on his localhost, and on the production server.
I don't know what sort of authorisation you need but, add an array of IPs? Not sure why you want to restrict it so much.
Maybe you're right. I will just check is that api key correct.
Please or to participate in this conversation.