Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm working on an API which needs to be able to let our customers create clients and make API calls with them. I turned to passport for OAuth support, but when implementing this feature I found out that most if not all of passport is build upon the web guard, meanwhile our SPA frontend uses the API guard to communicate with the backend. This means that our users aren't authenticated when going to the /authorize route as this is served from the backend, and it expects a session. Is there a way to still use the API guard for our SPA frontend and allow our users to still authenticate with the /authorize endpoint? Or should we change our way of authentication and use the web guard for our SPA frontend?
@cirqll You use Passport to issue OAuth tokens, which you’d then normally use to make a request to an API, protected by the auth:api guard.
So, how are you intending to get tokens to use for api guard-protected routes, if the route to get tokens is also protected by the api guard? You’re going to end up in a Catch-22 scenario.
Please or to participate in this conversation.