Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

neonodyssey's avatar

Fortify login through api

Hi all,

I hope someone can point me in the right direction. I am looking into creating an api request to "login" a user through an api.

Why am do I need an api for a login?

I am creating a desktop application where a user is required to login. Once the user has logged in with their user credentials the api will return with their user information.

Alternative options

Another option I could take is to encrypt the username and password together and save that into the database on register. Then when the user logins through the application the application sends an api request with the encrypted username and password.

Any pointers and help are welcome

0 likes
4 replies
chaudigv's avatar

Fortify is simply a back-end infrastructure that provide features like authentication. To use it, to communicate with it, you will need to use either Sanctum or Passport.

1 like
neonodyssey's avatar

I have been looking into sanctum and passport todo this with. I've been told to use passport over sanctum but I've also been told to use sanctum over passport.

Which one would you recommend and how would I verify a username and password via this method? As ive looked into the fortify documentation and I cant seem to find anything that points to authenticating the username and password other than posting to the login route (that requires a csrf token which to what I understand wouldn't be feasible with an api for a desktop application)

chaudigv's avatar
chaudigv
5 years ago
Best Answer
Level 16

I would recommend to start with Sanctum. It's quite simple and straight forward.

e.g. for SPA Authentication

login() {
    axios.get('/sanctum/csrf-cookie').then(response => {
        axios.post('/login', {
                email: this.email,
                password: this.password
            })
            .then(response => {
                if (response.status && response.status == 200) {
                    this.$router.push({
                        name: 'Dashboard'
                    });
                }
            })
            .catch(errors => {
                if (errors.response.data.exception) {
                    this.exception = errors.response.data.message;
                }
                this.errors = errors.response.data.errors;
            })
    });
}

I highly recommend to read docs.

1 like
martinbean's avatar

@neonodyssey You’re attempting to solve a problem that’s already been solved.

An app running on a computer is no different to an app running on a smartphone, so OAuth would be a suitable authentication mechanism to use here.

Laravel provides Passport as an OAuth server wrapper. The authorization code grant with PKCE would be the most appropriate grant type to use. The user will be prompted to authorise the application in a browser, then returned back to the native app where the app will receive an access token. The app can then use this access token to make API requests on behalf of the user.

Please or to participate in this conversation.