Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

RemizZ's avatar

Passport and Sanctum for a JSON API

If my Laravel JSON API needs to use Passport for API to API communication (a microservice architecture) AND be available to phone apps and SPAs on different domains, do I need to use both Passport and Sanctum to achieve this? It looks to me like they have conflicting traits and are not really meant to work side by side.

Does anyone have any experience with this? Do I need to cheat cookie auth into Passport oder can I run them both side by side somehow?

Thanks!

0 likes
3 replies
martinbean's avatar
martinbean
5 years ago
Best Answer
Level 80

do I need to use both Passport and Sanctum to achieve this?

@remizz No. You can use Passport for mobile app authentication as well. Just create different clients for the different use cases.

The client credentials grant would be appropriate for API to API authentication:

The client credentials grant is suitable for machine-to-machine authentication.

You can use the authorization code grant with PKCE to authenticate your mobile app:

The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications or native applications to access your API.

RemizZ's avatar

Oh thank you, I didn't know about PKCE. I'll try that. It's still strange that there is so few information about this and I see a lot of big faces ask about it on Twitter.

martinbean's avatar

@remizz I just think because it’s a tricky subject. I’ve worked with OAuth (and in turn, Passport) a fair bit.

Please or to participate in this conversation.