API Auth with different Domains

Hi guys

I use Laravel Sanctum's SPA-Authentication in various projects for authenticating the frontend to the API:

api.mydomain.com / mydomain.com

I am aware that I can only use this if I use the same domain. Now I am working in a project where the API has a completely different domain and has to authenticate various frontends to this API.

I solve this via Sanctum AuthTokens and store them in the frontend localStorage at the moment / send them via frontend/axios as Bearer Token. This works, but I am aware that localStorage is probably not the most secure solution. Are there better options (with or without Sanctum) or does Sanctum do anything in the background so this would not be a security issue?

Thanks for all your inputs, Fabian

bugsysha

4 years ago

Level 61

Read this part.

1 like

Flu

4 years ago

Level 1

@bugsysha hi & thanks for your input! But if i understand it correctly…

a few lines below in the docs: „In order to authenticate, your SPA and API must share the same top-level domain. However, they may be placed on different subdomains.“

So i think i have to use tokens (what i actually do). So the question is how to handle this the most secure/laravel way on different frontend/api domains.

1 like

turkalicious

3 years ago

Level 9

sorry to bump this old and possibly dead topic but I am in the same situation. I'd really appreciate some input on what should I do. API is Laravel and the user facing app is NextJS. Each have their own domain.

Thank you

3 likes

Citizen

3 years ago

Level 2

@turkalicious Did you get a quality response to this?

1 like

turkalicious

3 years ago

Level 9

@Citizen no but I dont have the issue anymore. I use the tenancy for laravel package along with sanctum and spatie be permissions package. no issues so far.

1 like