How to secure API endpoints for an app that doesn't have a login?

@derrickrozay I think Laravel Passport would fit your needs. Take a look at this section specifically: https://laravel.com/docs/5.4/passport#consuming-your-api-with-javascript

I'm not sure how I would implement that. Doesnt passport require you to have some sort of user authentication?

@derrickrozay Yes I think you are right, to consume your api with passport you will have to be auth already to create a fresh api token,

Well just an idea but if the whole operation is just being done in-house, just setup your server to allow certain ip addresses through

Like @gustav1105 said, setup some IP restrictions. I did the same thing for my laravel app. I didn't know how to use passport but I did want to leverage Vue with ajax functionality. I basically just hosted it locally without any API protection at all.

However I don't know if it's the safest thing ever as I'm not an expert when it's about security, though I think you should be fine if the information displayed in the app itself isn't very confidential.

@gustav1105 So you mean like on my web hosting only allow certain IPs to access the API? I believe this can also be done in the API itself

@gustav1105 Well, it does have the ability for you to use generated tokens without a user.

You can follow this to protect routes: https://laravel.com/docs/5.4/passport#protecting-routes

@derrickrozay Yes, I imagine that would be the easies, so you don't have to code in authentication just set it on your server to allow ip's

But I have just read the thread from @bashy he does make a very valid point, I haven't dug this deep into passport so can't really be opinionated but I imagine you could set the bearer token on the request... That will generate the token you need, but as the execution thereof ask @bashy.