I'm really new to the whole JWT authentication thing and from what I understand so far from researching is that in order for me to be able to secure my API from external requests (requests made from other servers/domains), I would have to make use of CORS (this package specifically https://github.com/barryvdh/laravel-cors) and set
'allowedOrigins' => ['*'] to
'allowedOrigins' => ['mydomain'] in order to tell it to only accept requests coming from my web app. But since reading the laravel docs on the CreateFreshApiToken middleware over and over again, I have realized that I may not need CORS after all since this middleware, as stated in the docs, passes the csrf token I have in a meta tag with each request which my app uses to validate them. If anyone could shed some light on me whether or not I understand these concepts correctly, I would really appreciate it. Thanks in advanced.
PS what I am basically trying to do is just disallowing all incoming requests IF they are not made specifically from my app.