Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

stgbuc's avatar

Using Inertia but wanting to switch the Auth method (from classic session based cookie to JWT)

Hello,

I am using Inertia with VueJs, but for different reasons (one of which is that I have another app on a subdomain, and I wand the users to get registered there too) I want to switch the way users authenticate.

Inertia says the following: "Rather, with Inertia you can simply use whatever authentication system your server-side framework ships with. Typically this will be a session based auth system."

By reading this I understand that I could switch to something like JWT (https://github.com/tymondesigns/jwt-auth), if I do switch, can I still use the classic server-side routing and controllers like I have been doing so far? Can I even switch the method or I am bound to use the default one laravel ships with?

Thanks

0 likes
4 replies
stgbuc's avatar

@martinbean not sure what you mean, are you saying I cannot use JWT with the classical server side routing and controllers? if I want to change the Auth Flow to use JWT, I should ditch Inertia entirely?

martinbean's avatar

@stgbuc Not sure what’s difficult to understand? You shouldn’t use tokens for stateful server-side authentication. This includes JWTs. Stick to sessions and cookies.

stgbuc's avatar

@martinbean its okay, I understood what you meant.

I am trying to decide which is the best option (without moving away from inertia and vue) to implement the following:

  1. User registers on mydomain.com/login
  2. Registered user navigates to app on subdomain.mydomain.com.
  3. When he presses login on the subdomain.mydomain.com., he will be automatically logged in. (I am already using aws cognito and keeping that as a backup, but I need to move way from it).

So currently I am doing this:

  1. Using sanctum I created an API route and provided the subdomain.mydomain.com. application with an token
  2. When user registers on main application, I generate and store an encrypted cookie (also using lax + http only + secure) that has a UUID
  3. subdomain.mydomain.com, checks for the cookie, sends the payload (along with its own sanctum token) to the API route and the API route responds with non hashed UUID and Email
  4. If the SubDomain App doesn't find that cookie, it redirects the user to the mydomain.com/login and the user must auth.

Please or to participate in this conversation.