Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Chrizzzz's avatar

Authenticated and unauthenticated route with "auth:api" middleware and Passport

Hi there,

i have a route protected with "auth:api" middleware. But i have the following need:

The route should be accessible from authenticated and unauthenticated users.

Sure, i can except an endpoint with: $this->middleware('auth:api')->except(['store']);

but then i cant get an user anymore if the request is authenticated. auth()->user() or Auth::user() are null.

Any ideas how can i solve this?

Regardes Chris

0 likes
5 replies
danmatthews's avatar

Interesting, would love to know your use case for this?

If the user is logged out and hitting the route, what do you need the $user object for? As you wouldn't need to know anything about that person - they're anonymous.

auth:api usually means that to access it, you need to provide an API key of some sort - if your route requires information about a user in order to function, then you can't really let anonymous people hit it.

Let me know a bit more about what you're trying to do and i'll try and help.

Chrizzzz's avatar

Hi dan,

i have an endpoint POST: /api/events where people can send in some events/meetings (via android and ios app).

I would give registered and anonym users the ability to send in some events.

If i protect the route with the "auth:api" middleware, only authenticated requests have access to the endpoint. If i leave off the middleware all users can access the endpoint - but now even if an authenticated request comes in i cant get the user in the controller, Auth::user() is null. Did you know what i mean?

In the controller i would set an flag on the event model that indicates if the event was send anonym or from an registered user

if(auth()->check())
        {
            $newEvent->user_id = auth()->id();
            $newEvent->approved = true;
    }

if no "auth:api" middleware then auth()->check() always returns false.

36864's avatar

You could extend the authentication middleware and overwrite the authenticate() method to not throw an exception if the user isn't authenticated when using the api guard. Not sure how well that would play with the rest of the middleware, but it's a starting point.

danmatthews's avatar

@Chrizzzz i see!

in that case, yes, i'd suggest creating your own guard based off:

vendor/laravel/framework/src/Illuminate/Auth/TokenGuard.php

This is the standard api:auth guard i believe.

You can adjust the user() method in there to your needs.

You can then extend the auth to include your new guard, see:

https://laravel.com/docs/5.4/authentication#adding-custom-guards

Then from there, you can set the config in config/auth.php to use your custom guard for API authentication:

 'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'my_custom_guard_name',
            'provider' => 'users',
        ],
    ],

Hope this helps!

tebowner's avatar

I found this post and cannot be happier as this is exactly what i need (i think) :)

I am using Passport in Laravel 5.5 ... I have routes that need to be locked down via api:auth and then some do not. BUT the ones that do not - i still need to access the user (Auth) because i use this in the Resource to do "stuff" if this route is called while authenticated

can i change the 'driver' => 'my_custom_guard_name', as this is now set to 'passport' ? do you have an example of how you create the new guard (where? how?) and then extend auth (where? how?) - keeping in mind Passport is being used

also i cannopt have this effetc anything on the Web side - all of that auth stuff needs to remain the same

thanks in advance!

Please or to participate in this conversation.