--- I have updated the post for only the way to protect an API. ---
I have to work on an existing webapp developed with Laravel 7.x.
The client wants to share a small part of the functionnalities of the app with his own clients. For me the best way is to develop an API and then I have secure API and the client develops the front to use the functionalities
For the API, it won't be difficult, but I don't know for the moment if it s better to use Passport or Sanctum. Sanctum is probably simpler to work with. I have read the details of Passport and Sanctum in the Laravel documentation, but I don't really understand when is it really needed to work with O'Auth.
I have read more documentations on OAuth2, it seems to be useful only when some informations need to be shared between several apps, for example when subscribing to a new website with the Google credentials.
Near this, I read that Sanctum is for SPA, or the app is not a SPA, but I can use Sanctum to protect an API too.
So to protect an API, what's the best way ?
use an id / password to receive back a token to access the API ?
generate token on the website and use this token from another website ?
I think it's not a good idea to generate a endless life token on a website and then use it from another website. Perhaps it would be better to connect to a login endpoint to receive a short life token to access to the authorized secured endpoints.
