Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello folks,
Let me explain my idea:
I want to develop an API, which should only be accessible by GitLab-authenticated users. So far, I implemented the GitLab socialite authentication by following the latest docs: https://laravel.com/docs/7.x/socialite
Now I want to create API endpoints, that are protected by an auth-guard, which should check for the validity of a GitLab access token.
My plan so far, is to create a user (if no users exists) per authenticated GitLab user - otherwise find the user and directly authenticate him (because the user is already logged in by GitLab - see socialite callback functions). To protect routes, I now can use the default 'auth' middleware - but it wouldn't check for the validity of a GitLab token.
Since I ran out of Ideas I want to know if someone of you guys already did something similar - should I request the GitLab API to validate an access_token - does GitLab provide such endpoints?
Is my approach even correct or am I missing something? Thank you guys!
@wowabeats I think you’re misunderstanding access tokens and their use cases to be honest.
You’re right in that, using the GitLab Socialite provider, you would be able to authorise a GitLab user to use your application. But then any authentication to your API should be done using the token your application has issued, and not a GitLab access token.
A GitLab access token is for a user to interact with GitLab’s services, not yours.
Please or to participate in this conversation.