Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

BrianA's avatar

Simple API Login Without Using Passport

Hi,

I have a Laravel project in which I used Laravel's Authentication scaffolding to register, login and logout (amongst other auth actions) users is the web app. Users are stored in the Users table.

The complete system however will also need a way how users can login into their account (Users table) from a mobile application or from other web apps, using API routes. This means that I need a simple way of securely 'forwarding' the email address and password to an APILoginController via an API route (for instance http://localhost/api/login?email=...&password=...).

A function in the APILoginController will:

  • Check if the user with the provided email address exists in the Users table.
  • If the user is found, the provided password (for example from the mobile application via the API login route) matches the hashed password in the database/Users table, and if these match, the user using the mobile app can be logged in and can request data from other tables in the database of the Laravel project.

Currently, I was thinkng of implementing something like this:

In api.php:

Route::post('/login', 'API\APILoginController@loginUser');

In APILoginController (a controller created under Http/Controllers/API):

public function loginUser(Request $request)
    {
    	$email = $request->input('email');
    	$password = $request->input('password');

    	$user = User::where(['email'=>$email)->first();
        if($user)       // If the user is found
        {
            // CHECK THAT API PASSWORD MATCHES DB PASSWORD
            // LOGIN USER
        }else{
            return 'user not found';       // You can create a page for this
        }
    }

My question is, how should I 'login' the user via an API login such that for example mobile app users can login and request data from the database?

I appreciate any advice and thank you in advance!

Brian

0 likes
7 replies
bobbybouwmann's avatar

If you want the most simple version of an API you should use a token. So you, should add an api_token field to your users table and generate a random string in there. On login using the API login route you check if the user exists and then you return the api_token. This token can then be used for authentication.

Laravel supports this out of the box. Check this part of the documentation: https://laravel.com/docs/6.x/api-authentication#passing-tokens-in-requests

Note: I'm not sure if this is still supported in Laravel 7.x since the documentation for this doesn't exist anymore. The reason for that is it's recommended to use Sanctum or Passport for authentication.

1 like
BrianA's avatar

Hi BOBBYBOUWMANN,

Thanks! I had a look at the documentation provided and it seems that Laravel's built-in API token system you suggested is what I need in this case. Will check if it is still supported in Laravel 7.x though.

If I understood well, when using hashed token, API tokens are not generated and stored when users register an account. Instead, these have to be generated and stored manual using an APITokenController for example:

  • So in this case, is the (hashed) token created and stored when the user sends a login request with the respective username and password via the API login route?

I have another question regarding the token expiration/timeout:

  • If a token is created and stored into the api_token field of the users table, does this mean that the token remains unchanged unless re-generated and re-stored manually, or is there a timeout associated to the api_token field?

I appreciate any advice on this topic; thank you :)

Regards, Brian

martinbean's avatar

@briana You don’t “log in” to APIs. And you definitely shouldn’t be sending email addresses and plaintext passwords in the query string of requests; that’s a massive security issue.

Your system needs a way for mobile applications and other applications to authenticate. Well, this is example what Passport was created for. For example, from the auth code grant with PCKE section:

The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications or native applications to access your API.

So, perfect for your use case. When your mobile application is authenticated, you will get an access token for the user that you can use to authenticate API requests as that user.

Use things that have been built to solve problems. 90% of problems have been solved already. There’s no reason to spurn a pre-built solution like Passport as then you make decisions like you have that actually make your application less secure. Passport has been installed tens of millions of times; it’s well tested and any major security issues will have been discovered by now.

BrianA's avatar

Thanks for the advice @martinbean.

I will definitely consider using Laravel Passport for API authentication then. I will go through the documentation to understand how I can implement this authentication package for my project.

BrianA's avatar

For my Laravel project to function as required, I made some changes/custom modifications to the Laravel Auth Scaffolding. These include the addition and modification of functions in the RegisterController, the VerificationController, the ForgotPasswordController, and the ResetPasswordController.

I also modified and added some routes in my routes file web.php. In other words, instead of using

Auth::routes();

in the web.php file, I defined all auth routes being used by my application, and modified/added others, for instance:

...
// Password reset routes:
Route::post('password/email', 'Auth\ForgotPasswordController@createResetToken')->name('password.email');
Route::get('password/reset', 'Auth\ForgotPasswordController@showLinkRequestForm')->name('password.request');
Route::get('password/reset/{token}', 'Auth\ForgotPasswordController@showPasswordResetForm')->name('password.reset');
Route::post('password/reset', 'Auth\ForgotPasswordController@updatePassword')->name('password.update');
// Email verification routes:
Route::get('/verify/resend/{id}', 'Auth\RegisterController@resendVerificationEmail');
Route::get('/verify/email/{id}', 'Auth\RegisterController@verifyUser')->name('verify');
...
  • If I understood well after looking at the documentation of both Laravel Auth Scaffolding and Laravel Passport, these are separate from each other as one package is responsible for just the web part while the other for the authentication of mobile applications and other applications. Therefore, changes in the auth structure/code should not have an impact on the API authentication using Passport. Is this correct?

Thanks a lot, Brian

Please or to participate in this conversation.