Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ficus's avatar
ficus
OP
7 years ago
Level 1

API for internal and external use

Hi guys!

I am building a monolith SaaS application. However, core functionality has to be available for external integrators.

So, how to build an api which can be used without an hassle in a monolith app, even using route model binding (can I do that?). On the second hand, the must be some API authentication method, different that just auth middleware using email and password I guess.

I am thinking about using Passport or even simple user tokens (very few users will make use of API, however I need to be able to set different access level to each of them), but then - how can I use api routes inside my app? Part of them I want to use through back-end rather than js and front-end, so I guess I will be foreced to build some library to make api calls.

But again, is it possible to skip api authentication for given domains or I need to generete myself a api key (whatever it will be) and pass it every time I do some call? Is there any simpler solution? As integrators can have their api keys assigned to their main accounts, application is not a user, so how to assigne a key to whole app?

Also, as the default api route (/api/user) use auth:api middleware, it should be possible to access that route while being logged, however - it keeps redirecting me to login page and then - not returning any user from ($request->user()). Which middlewares should be used for an api?

0 likes
2 replies
lostdreamer_nl's avatar
lostdreamer_nl
7 years ago
Best Answer
Level 53

with the type of questions being asked, I'm thinking you might want to overthink the whole 'building a monolith SaaS application'... Most of it is basic stuff for any system.

But here goes:

"how to build an api [...] even using route model binding (can I do that?). "

  • Yes you can, the same way you would do it for a normal website made in Laravel, setup the routes (but now in routes/api.php) and inject / typehint what you need in the controller serving the request.

"I am thinking about using Passport or even simple user tokens"

  • Biggest difference: with passport a user can have multiple tokens, even have different roles for those tokens, they can also disable any token at any time (might be handy if the users of your API also have to get external programmers to develop their end, they can now create a temp token for the programmer to test). If you go for the simple user tokens, make sure a user can reset the token at any time.

"I need to be able to set different access level to each of them), but then - how can I use api routes inside my app? "

  • This is basic Authorization, once authenticated, what can someone do and are they even allowed on a certain URL. You might want to google "Laravel Gates" You can still use your api routes and even your model binding, but now you'll have to write small scripts to check if someone is allowed to do action A on object type B. How to implement this is completely up to you to decide what's best for your (end users') needs.

"... Part of them I want to use through back-end rather than js and front-end"

  • Front end validation is no validation at all.... Security by oblivity

"is it possible to skip api authentication for given domains or I need to generete myself a api key (whatever it will be) and pass it"

  • You are building the system so.... ofcourse it is possible, you could for instance write a small piece of middleware that checks for the originating IP, and if it's within a hard coded list, it would simply auth()->loginUsingId( $this->ipToUser[ $request->ip() ] ); login as that user... Or you can pass an API key.... up to you.

"... application is not a user, so how to assigne a key to whole app?"

  • If it is needed to be logged in at all times (for instance, Saving a Widgetwould need to you to be logged in, and a lot of code depends on Widget having an owner, you could simply create a type of Admin account which is used by the system itself I guess.

"Also, as the default api route (/api/user) use auth:api middleware, it should be possible to access that route while being logged, however - it keeps redirecting me to login page and then - not returning any user from ($request->user()). Which middlewares should be used for an api?"

  • laravel's auth system is setup in config/auth.php :

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
        'api' => [
            'driver' => 'token',
            'provider' => 'users',
        ],
    ],

So by default it's using a token based login system (not the same as the session being used on the web.php routes)

To implement the token driver, you need to add the token to the user migration:

$table->string('api_token', 60)->unique();

After that, make sure the api_token field get's seeded with something when a user is created, and that they can reset the token when they want.

Any request done to your API routes (behind auth middleware) that have a GET or POST variable 'api_token' will now authenticate for the single request.

1 like
ficus's avatar
ficus
OP
7 years ago
Level 1

@LOSTDREAMER_NL - Right now, after reading my questions again and then your answers I am kind of shocked of my own stupidity :P Next time before I ask I will take a break after work, definitily.

It all seems obvious now, thank you for your time and clarification! :-)

Please or to participate in this conversation.