Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I am trying to understand the authentication of API for Mobile App & Web App. What's the best approach to develop API using a single endpoint rather than developing an individual route for Web & Mobile App respectively?
In my case, I used Sanctum token to authenticate the API for mobile App, what's the other case for web apps? can I use the Sanctum CSRF-cookie to authenticate the same API which is used for mobile App?
Is that possible?
Does the mobile app that need to be an API, or do you just need a web mobile-friendly app for mobile, meaning responsive and optimized for mobile. Or is it something you will be installing like you do through the Google Play Store.
In other words why does it have to be an API if it's a web application on desktop.
If an api, I think passport is much better. Just my opinion.
Thanks for your reply!
API for Mobile Application, not for the responsive multi-device web application. But, I would like to understand how authentication works for both mobile applications and also Web applications without duplicating the code?
For example, users can log in to the eCommerce mobile App and also to the Website.
If am getting you right, "talking of api endpoints for a mobile application or a web application"
First lets switch your thinking, "you never need two separate endpoints to handle this, unless the processing of from this api endpoints is different from both the mobile or web side"
With this in mind, api endpoints once created should work with whatever listener as long as it can process it. So basically, all you need is just a single laravel application with the given api endpoints (in your api.php file), then on your mobile app, all you need to do is consume this api, just like you would do in any other website trying to access your resources from your site via xhr requests.
Thanks for your reply!
But, how authentication is works for both Mobile and Web?
Can I use Sanctum to Authenticate API for Mobile Application and also for Website?
But, how authentication is works for both Mobile and Web?
If both web, then session. If the mobile is an api, that's token based. For an api passport is a better choice, but that is my opinion and preference.
Edit: I suppose sanctum would work, but read the docs.
And if the mobile needs to be an api, why wouldn't the desktop version need to be an api as well?
without duplicating the code?
It's not duplicated, you just have extra to deal with the api end of it, to send the json or xml data to your program you wrote for mobile devices to display.
Similar to a weather app. Also just curious, what software are you looking at for the mobile app.
As like you said, I want to use API for both Mobile & Web apps.
When you authenticate API to consume in Mobile, we will use API tokens. Similarly, In desktop web applications(SPA) we will use Cookies, and that will be secure to consume the API(as I read the docs).
How to achieve both API token and CSRF Cookie in Single Laravel application
http://websites.com/api/auth/login - return CSRF Cookies http://api.websites.com/api/auth/login - return API token
Edit: Or I can use Sanctum token to authenticate API Endpoints in Web? Is that secure?
@lianmaymesi You’ve asked about three times now. The Sanctum docs clearly state that you can use both API token-based authentication and cookie-based authentication.
So, you can build a single API, add the auth:sanctum middleware to your API routes, and then have your web app authenticate use cookies and your mobile apps authenticate using tokens.
For anyone else stumbling on this old thread while trying to figure out more details on how this actually works, the EnsureFrontendRequestsAreStateful middleware in sanctum (https://github.com/laravel/sanctum/blob/3.x/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php) checks for the existence of the domain in the origin/referer among the http request headers:
$domain = $request->headers->get('referer') ?: $request->headers->get('origin');
if (is_null($domain)) {
return false;
}
And then skips setting the session/cookies and csrf token checks for requests from mobile apps:
return (new Pipeline(app()))->send($request)->through(static::fromFrontend($request) ? [
function ($request, $next) {
$request->attributes->set('sanctum', true);
return $next($request);
},
config('sanctum.middleware.encrypt_cookies', \Illuminate\Cookie\Middleware\EncryptCookies::class),
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
config('sanctum.middleware.verify_csrf_token', \Illuminate\Foundation\Http\Middleware\VerifyCsrfToken::class),
] : [])->then(function ($request) use ($next) {
I understand that the original poster (OP) is seeking clarification on the specifics of a login API.
In the context of a login API, the standard practice is to utilize the "web guard" and return a Sanctum token as part of the response. However, a challenge arises in the login API process—it either requires the CSRF token, which can be obtained using the /sanctum/csrf-token endpoint (though this involves managing cookies and fetching the token), or it necessitates excluding the login route from the CSRF verification middleware.
An alternative approach involves creating a new route (/api/login), where the username and password can be authenticated, and a Sanctum token can be issued. Subsequently, this Sanctum token can be utilized for authentication in other APIs. It's important to note that this open route (/api/login) lacks CSRF protection, similar to other API routes.
Please or to participate in this conversation.