Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
We have a Laravel app that will use ajax to access an API route to pull back data to populate various UI elements like select boxes. The API will just be our own API in the same Laravel app.
I know ajax can pass the CSRF token but is that enough to secure that API route? Does the CSRF token prevent anyone bypassing the app and accessing the API route directly or do we need to use something like Passport or JWT to authenticate with the API?
The API is an internal one so will one be used by our own Laravel app and doesn't need to be accessible by any other app or services so can we just use the CSRF token to limit that?
Thanks.
Csrf is only used to validate POST requests. It is also only of use where sessions are used (in your Web routes)
If these ajax requests are coming from a Web browser then use Web routes. There is no advantage in making theses api routes.
You will then automatically pick up the user' session , and know if they are authorised to receive the data
Thanks Snapey,
Ah, so if we just have something like jquery autocomplete getting data from our API then just use a web route and the user authentication already in place protects that. That makes sense!
Thanks again.
Please or to participate in this conversation.