If you are using passport already read about client grants:
https://laravel.com/docs/8.x/passport#client-credentials-grant-tokens
If not, for restricting domains that can make requests to your endpoints, check your CORS configurations:
https://laravel.com/docs/8.x/routing#cors
Another option is adding a very simple auth guard that handles a token not attached to any user using this:
https://laravel.com/docs/8.x/authentication#closure-request-guards
===
If using this last option, the basic steps are this:
1 - Add this code to your AuthServiceProvider's boot method:
Auth::viaRequest('custom-token', function ($request) {
return $request->input('token') === 'my-secret-token';
});
2 - Add this new guard to your app's ./config/auth.php file under the guards key:
'guards' => [
'api' => [
'driver' => 'custom-token',
],
],
3 - On your ./routes/web.php tell the routes to use that guard:
Route::get('/data', [MyController::class, 'index'])->middleware('auth:api');
Route::post('/data', [MyController::class, 'store'])->middleware('auth:api');
4 - Send that token with your ajax payload
Note that instead of sending the token as a input field you can send it as a header when using ajax calls.
Hope it helps