Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I want to create an API for 3-5 other applications. These applications are not SPAs, they are fully independed systems, like a shop that have to use my API.
If I get it right, then I think that https://laravel.com/docs/8.x/sanctum is not an option here.
I could use https://laravel.com/docs/8.x/passport because it comes with a client table, client hash etc, to allow other applications to communicate with my API, however I would not need the entire OAuth2 features.
Thus, I am thinking of writing my own clients table and authentication...
Is there any better choice? Maybe a package that just has the client authentication without OAuth2?
@elenktik Use OAuth (and Passport). It’s literally what it was made for.
You have external clients that need to access protected resources on your API server. So your API server should issue access tokens to authorised users to be able to make API requests.
@martinbean yes they are external clients, but they have no users that want to access resources. Infact, there are no users at all on the other clients. They are just applications that send stuff to my main application, so OAuth is actually not needed and thats why I am thinking the passport package is maybe too much overhead.
@elenktik OAuth still has an appropriate grant type for that use case: https://laravel.com/docs/8.x/passport#client-credentials-grant-tokens
The client credentials grant is suitable for machine-to-machine authentication.
They are just applications that send stuff to my main application
Sounds like you are retrieving from an API. So then you would follow their api spec and instructions.
@jlrdw no they are more like microservices that I have build myself, talking to each other
If you want security you can still have a token, see this example, but convert to laravel.
https://www.sitepoint.com/php-authorization-jwt-json-web-tokens/
Just make sure each 2-way communication has a "given" key or token or pin that is stored in database.
That is to avoid someone "hacking" in. Sort of like a login, but since a human isn't using you still need a token of some sort.
On a request, you compare the sent token with stored token to verify a match.
Please or to participate in this conversation.