Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello, We are developing a vue+Laravel application that will use another third-party REST API. Currently, we make API request from Vue to Laravel backend and Laravel make necessary API call to that third-party API.
Third-party API also needs an access token. Where we should keep this access token? In Laravel sessions? What is the best practice for these kinds of scenarios?
Thank You
I would add it to your .env file and call it from there. Such as:
THIRD_PARTY_NAME_API_TOKEN=your_token_here
Call it like any other env item:
env('THIRD_PARTY_NAME_API_TOKEN')
Or create a config file and add it there.
return [
'api_token' =>'your_token_here',
];
@RayC Always use a config file. Using it in code will result in null on production :)
@RayC Hi, But this is an access token so it will change according to the user.
@Sinnbeck I was updating my comment as you were typing that lol
@thushara Missed that part of the question. Didn't realize it was changing.
@RayC Ok great :)
I assume it is a token that will be returned from the endpoint and will expire? And that it is unique for the frontend user? If so, I would most likely use session. If you need to keep track of them, you can also use the database.
@Sinnbeck For my own knowledge, can't a session be highjacked? Would it be a good idea to use encrypted sessions in this case?
@RayC Sessions are encrypted by default in laravel. And if the session is highjacked, the hacker will be logged in as the user anyways :)
@Sinnbeck Thanks for the reply.
@Sinnbeck Yes the token we got from when authenticating that third-party API. So it will unique for the frontend user. OK, I am going to use the Laravel session then. currently, we keep this token in Vue local storage and send every request in headers. Which I think is a bad procedure.
@thushara Yeah local storage can be accessed. So I would store it serverside :)
@Sinnbeck It is ok to use sessions with API. I mean not that third-party one. Our own app has an API. Example: Get all users /api/v1/user ( this is our own API ) within this API call, we call that third-party one. so we will get the access token from the session.
So we are going to use sessions with an API. Is it OK?
@thushara Ah if its for an actual API (not just an internal api for vue) I would store it in the database, so you dont need to enable sessions for your own api. If it is stateful already, you can just use sessions.
@Sinnbeck It's just an internal api for Vue. And sorry may I know What is stateful means?
@thushara stateless = no sessions and stateful = has sessions. Normally external apis are stateless and internal can be either :)
Please or to participate in this conversation.