Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

lee__mason's avatar

Auth when using rest api for admin

hi guys,

so im building an app that eventually will have an api as well as an existing admin backend.

The new auth drivers in 5.2 really help with this, however im stuck on the best way authorize both admin and api requests.

take for example a "page" resource/model

in the admin currently i have an admin route which posts the data to /admin/pages

in the future i want this to be accessible via the api as well, so i will have a route /api/v1/pages which can be posted to.

now thinking of DRY principles it makes sense for the /admin/pages form to post to /api/v1/pages to actually create the page, meaning all of my create logic is handled by 1 method, and not repeated anywhere else which is simpler and means theres no chance of differences.

however admin usage will be session based, and obviously api usage will be stateless, probably via an api key as per the new api auth driver in 5.2.

im struggling to understand what would be the best method to authenticate admin usage to the api urls.

what would people recommend?

  1. create an api key for every admin user, and pass this to all admin views as a javascript variable, then use this in all api requests from the admin.

  2. update the api middlewhere which looks for a token to authenticate by to also first check if there is an active authenticated session and use that if present.

im aware rest apis should be stateless, and the actual api itself would be, just the authentication would first check if they are logged in, in a statefull way before performing the normal api checks.

im against running internal requests if that makes a difference as i would still need to create admin routes for the resources, which then would defer to internal requests which just seems repetitive.

there seems to be pros/cons for both methods:

for 1. the api and auth wouldnt need to change at all. but i would need to pass the api with every request, and store the api in the admin views.

for 2. the javascript ajax requests wouldnt need to pass an api key with every request. but the api middleware would need to be overwritten.

is either method preferred? or is there another way i havent thought of people would recommend.

0 likes
0 replies

Please or to participate in this conversation.