Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
I need a hint as I am somehow stuck in my brain.
The api backend and web frontend are based on one laravel instance. The api is build on dingo and protected by oauth using client credentials flow for somehow public requests and authorization / password flow for user authenticated requests.
The web frontend is built on its own controllers (which will consume the api internally in the future) and uses the typical user authentication of laravel.
Now I want to make some ajax requests from my web frontend to user specific api ressources. As the user is logged in on the web frontend and its the same instance, I feel like it should be easy to just call the specific api endpoint and get my results. But as it's protected by oauth I would first need to run through the whole authentication process and request an access_token ...
Whats the best way to handle it, if I want to avoid the oauth flow for "internal ajax requests"?
Maybe adding JWT as alternative auth layer. Generate a token on my web frontend, use it for the request? But feels like I am blowing up my protection layers even more.
Ok, building a little proxy endpoint for post ajax request with csrf protection and without cors.
Requests could then look like:
POST /ajax/get/me
POST /ajax/post/messages?body=abc
The proxy then creates a internal dingo api requests + attaches the authenticated user.
Makes sense?
Use passport then you will find exactly what you wanted here.
Please or to participate in this conversation.