Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
We have two servers running. One is typical webserver running our Laravel based website. The other one is a machine that runs constantly as well and works on repeated tasks. Once it finishes a task, it sends resulting data to webserver endpoint via POST request, which takes the data and stores it in database.
My question is, how would you secure the endpoint? We are using Passport for our API routes, but this one is different purpose - no user authentication and it's not a public endpoint. It would be nice to have just two keys on the machine that would allow webserver to authenticate its requests. Is there any package that would make a good fit for such a use case?
Thanks
@rudexpunx If you are using Passport just use Client Credentials Grant Tokens...
The client credentials grant is suitable for machine-to-machine authentication.
https://laravel.com/docs/6.x/passport#client-credentials-grant-tokens
Depends on what you mean by not-public? Not listed in the world as an API or not available to outside networks / the general interwebs?
Shame I missed that vital part of Passport documentation.
Thank you for your quick response and getting me on the right track @fylzero
If you wanted a simpler approach, send the second server a secure URL for the endpoint, with it set to expire after n hours. Before it expires, send it another.
Then on the end point, just check the url signature is still valid.
Or beta test "airlock" https://github.com/laravel/airlock
@rudexpunx It's easy to miss in the documentation because it exists in the table of contents at the bold title level... so your eye naturally scans to the smaller sub-item text in the TOC list. I can never find it when I'm looking either, so I usually just search the page for "machine-to-machine". lol
Please or to participate in this conversation.