Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ahoi's avatar
ahoi
OP
4 years ago
Level 5

Sanctum: Allow only requests to API made by vue-app; but allow guest-users

Hello everybody,

I'd like to use sanctum to allow my Vue-SPA to authenticate users etc.

This works fine for this route:

Route::middleware('auth:sanctum')->get('/user', [UserApiController::class, 'view'])
     ->name('api.user.view');

But now I got some information that do not need a authenticated user - e.g. showing a product list:

Route::apiResource('product', ProductApiController::class); //contains index, show, ...

Now there's my point: Using this routes anybody can call the API-endpoints using curl:

curl http://myapp.test/api/product/2

What I want to archive: I want to only give access to API-requests that are triggered by using the SPA.

0 likes
1 reply
martinbean's avatar

@ahoi Look into CORS.

But, if you have routes that don’t require authentication, then there’s nothing stopping something hitting the API endpoints using something like cURL or Postman.

Please or to participate in this conversation.