Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello guys,
I've been developing a Laravel based web app that consumes some internal APIs, modify the data and create another APIs for the frontend.
After user authentication, our login API returns a user token as usual. I put it in the user session and directly get it from the session when I do any other API call. Do I do it correctly? My goal is doing it stateless, but I couldn't find any other solution to save it.
Can you recommend me a better way if you have?
Regards.
if it's a spa (Single Page App), you can simply keep the user token in memory, if it has multiple pages, you could keep the user token in local storage for instance.
A stateless API should get the token on every request and should not be using sessions.
It must be also safe to use. Reliable resources say that never store sensitive data using Web / Local Storage.
Someone may steal the token from the local storage.
What do you think @lostdreamer_nl ?
I also keep my tokens in local storage. A client side token should never contain sensitive data.
Having a token in localstorage is imo the same as having a user with a saved password in the form / browser (which will also be available plain-text to any user behind that browser).
if you have any concern about security, the client side tokens should be invalidated after some time (Passport for instance will do so automatically).
or you could use sessionStorage, which will be emptied as soon as the browser is closed.
Please or to participate in this conversation.