Auth choices for SPA + internal/closed API.

It seems like there's a million different ways to implement auth and it can be a bit overwhelming.

There's Passport, there's JWTs, there's the token driver, there's just using the web routes with an api prefix and probably more options.

In the case that you have a Laravel app and that Laravel app serves a Vue SPA which wants to consume its own (the Laravel) API, which option should one use?

At this point in time, my API will be closed/internal/only for self-consumption.

Are JWTs the "correct" answer? But in the future I'll likely open up my API, so I want to be future-proof. Also I don't want to lock myself out of the possibility of having some good old-fashioned Laravel backed routes that still work with auth.

Up until now, I've had all my API routes in web.php in a group with an api prefix and an ajax middleware and have been using the default Axios setup (that sends CSRF tokens etc.) but now I'm at the stage where I'd like to move the login/register etc. stuff that comes with the Laravel auth scaffolding into the SPA itself.

But it seems like that default auth scaffolding just isn't designed to accommodate that use-case, correct? So now I will be forced to get my hands dirty and write some auth code, as opposed to using what Laravel provides?

I just really don't want to get auth wrong and I don't particularly trust these thousands of tutorials and guides that all do things in slightly different ways. I have no doubt many of them are flawed, security-wise and I've read about various security concerns with JWTs.

I wish that the Laravel docs had some comprehensive information on doing auth properly with a Vue SPA that self-consumes its own Laravel API, or that there was a course which covered this in detail. There is this series but so far it's only covering the use-case of an app on one domain consuming the API of a separate Laravel app on another domain which is not at all what I want.

Thanks for reading!