Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I've stated building a Laravel API loosely following the React-Expo tutorial on this site, and I setup the auth to use Sanctum.
After some initial setup I stumbled across the tidbit by Andre ("What's up guys... Andre here, and today...") for Breeze API and NextJS, and it dawned on me that I will probably want an web version of the app at some point going forwards.
I've created a new branch, and installed Breeze using the new API flag, then diffed the commit. I can't see any big issues, other than that fact that I had a login/logout route in my api.php file that gets overwritten.
The auth from the Breeze --api goest through auth.php, so I was wondering if there were any security implications or reasons to avoid what I've done?
Am I ok keeping the SPA auth routes in auth.php and using the api.php file for my API auth with the app?
You should be fine, I would do the same if I needed both SPA auth and mobile app auth. I would probably rename one of the /login (and logout) endpoints, maybe for the mobile app endpoint, I would keep it as /sanctum/token like in the Sanctum docs.
Please or to participate in this conversation.