Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

PaulDiamant's avatar

Laravel and an API for mobile application

I'm developing a website which will probably require an app as well, however I was wondering how I should go about handling user authentication for mobile apps that can retrieve the same data that Laravel does, from the database. I know that API's should be stateless using a token, and I've used JWT before and also heard of OAuth, is there a difference between those two? Should I also create API routes for managing the website so I can also integrate HTTP calls in the app to those API routes?

On another subject, I am going to use Ionic/Angular or something to create a hybrid app, unless it is not recommended....

0 likes
6 replies
NicoDevs's avatar

I think the best approach is to develop one single API capable of beign consumed by many applications (mobile, web, etc) in the same way. One set of routes, all API routes. If I'm not wrong, the consumer app will be an SPA, so you don't need anything else.

The OAuth protocol supports several different types of authentication and authorization, JWT is one standard way of creating tokens OAuth use.

I use JWT with this package: https://github.com/tymondesigns/jwt-auth

You can login a user as this:

$credentials = $request->validate([
    'email' => 'required|email',
    'password' => 'required'
]);

if (!$token = JWTAuth::attempt($credentials)) {
    throw new InvalidCredentialsException;
}

return [
    'data' => array_merge(auth()->user()->toArray(), ['token' => $token]),
    'success' => true
];

That will return a token (a long string) that should be sent in subsequent calls. You can send the token as a header or URL param (check the package docs).

If the token is valid, you can access to the user data like this:

$user = JWTAuth::parseToken()->authenticate();

Or just using the Laravel auth functions:

$user = auth()->user();

Let me know if you need more help.

PS. Angular is good, the Laravel community is more Vue oriented, but both are great for SPAs.

PaulDiamant's avatar

@NicoBeta So I shouldn't use sessions for authentication and instead use tokens for both web and mobile app? Or one API that can be consumed by many applications that also verifies the request origin, so for example if the request was made by web the session must be valid or if the request was made via an app then it checks for JWT token.

NicoDevs's avatar

Yes, @PaulDiamant, I wouldn't use sessions in the traditional way. Yes, that one API would be consumed by many clients (consider your web app as a client).

That should help you to don't repeat code: you just have one entry point and one way to authenticate your users, the token generated via JWT.

Yes, you can additionally check the client in each request, and return an error if the token generated in one client wants to be used in another (for example, a mobile token used in a web request). But that's an additional and optional check that may not be necessary in the beginning.

Let me know if that's clear.

Abdar169's avatar

I have a Laravel function which return the data to my view file in blade, how can I get the json at the same time which i will use in the mobile application

martinbean's avatar

@Abdar169 Please create your own threads for your own questions, instead of replying to someone else’s thread that is over half a decade old.

Please or to participate in this conversation.