Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ms1987's avatar

Laravel API / CAS System

Dear all,

I am looking into the capabilities of building an API / CAS system using laravel. The general idea is to create this as a backend that will provide secure authentication for several sites & mobile apps.

I have been reading up on this one: https://github.com/francescomalatesta/laravel-api-boilerplate-jwt/tree/master/database

But am still wondering if it might not be better to start from scratch, to make sure that I grasp everything within the API to the fullest and can perfectly tailor fit it to my projects needs. Like having a frontend on the api that allows the creation of users, adding them to certain groups, allowing / disallowing them access to certain apps, ...

What are your experiences with this?

Ps: One stupid question, when using jwt, do you store the token that was delivered to the user in the api's backend? I suppose not...since it is stateless... So you just "decrypt" the received token everytime to find out if you can match this to a user?

Many thanks in advance!

0 likes
4 replies
jekinney's avatar

Laravel does API very well by default. Just return data and its Json. Instead of returning a view in a controller just return the data. Simple as that seriously.

Tokens is dependent on your need. For a mobile app hashing isn't required. If you need more then that look at oauth 2 implementation.

willvincent's avatar

and if you're only doing an API, not an API and a frontend, it's probably worth considering lumen as it's much lighter weight.

Guardian's avatar

Dear all, Thanks for the comments and opinions.

Would you mind elaborating a little more on the usage of oauth vs jwt and so on?

I Will have a frontend that allows admins to login and administer the users. (This Will be blade based in the beginning i suppose. But might be js based later on)

Other than this admin interface, secure authentication and permission handling are the main key concepts...

Also, was my assumption correct about the fact that you never store the tokens but "analyse" every token that comes in via the headers in each request?

Thanks again all!!

Please or to participate in this conversation.