Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm trying to put together some basic API protection for one of my Laravel project. I want to build dynamic select lists so that users can select specific models by search instead of manually typing the model ID. The whole app is auth protected, you have to be logged in to access anything, so I want the API route to have some level protection as well, but not too much ; Since users have to be logged in anyway, I don't want an auth protected API like what Sanctum or Passport offer, I'd want something more simple, like use the CSRF Token embed in each page by Laravel to check the request is not coming from someone without access to the app. Is that possible out of the box?
@caercam So you want to protect your API, but not with the API protection options that are available to you…?
If you don‘t want people accessing your API outside of your app then just use token-based authentication, instead of trying to come up with your own workaround. The solutions exist. Just use them.
@martinbean Correct me if I'm wrong, but token-based auth implies either asking users for credentials, which I don't want because they're already logged in and I'm just implementing an Ajax loading select inside the app, or using some kind of persistent API tokens, which I'm not sure I want to use either because nothing would prevent someone from stealing a token and accessing the data without being authenticated. Am I missing something?
@caercam https://laravel.com/docs/8.x/passport#consuming-your-api-with-javascript
There’s no “asking users for credentials”.
Thanks, that's helpful. Too bad there's apparently no such feature with Sanctum. I'll give it a try.
Okay, Passport is not suitable for my project as I don't need OAuth2 and already use Sanctum for a future SPA. Back to square one I guess.
Please or to participate in this conversation.