Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

limb24's avatar

API authentication with an external API

Hi all, I'm fairly acquainted with the basics of Laravel and while my app is looking quite good, I can't wrap my head around implementing API protection with Laravel's auth functionality in this scenario: the username and password is sent through a HTTP request to an external API, which returns a response on whether the user has entered valid credentials. My Laravel app also has some API routes that must only be accessible to authenticated users. I also have to protect certain web routes, and need to implement sessions/cookies.

I looked around everywhere but it seemed that most of the tutorials/questions involved setting up a database that had usernames and passwords, and manually registering users. I saw some answers that said to create a custom user provider and a service provider, but after that I'm not sure where to go, and would like advice. Here is an example of what I have now:

MyUserProvider.php

class MyUserProvider implements UserProvider
{
    public function retrieveById($identifier) {
        // Retrieve a user by their unique identifier.
    }

    public function retrieveByToken($identifier, $token) {
        // Retrieve a user by their unique identifier and "remember me" token.
    }

    public function updateRememberToken(Authenticatable $user, $token) {
        // Update the "remember me" token for the given user in storage.
    }

    public function retrieveByCredentials(array $credentials) {
        // Retrieve a user by the given credentials.
    }

    public function validateCredentials(Authenticatable $user, array $credentials) {
        $ch = curl_init();
        // Make http post request here
        if ($credentials_are_valid) {
            return true;
        }
        return false;
    }
}

MyAuthServiceProvider.php

class MyAuthServiceProvider extends ServiceProvider
{
    /**
     * Register services.
     *
     * @return void
     */
    public function register()
    {
        //
    }

    /**
     * Bootstrap services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();
        
        Auth::provider('my-auth', function ($app, array $config) {
            return new MyUserProvider();
        });
    }
}

and in my config/auth.php I have registered my user provider under providers.

I have looked into Passport but it seems the official docs utilized a database with users and passwords, and it didn't seem to have much advice for my scenario, where I don't have access to username and passwords. I am thinking to just do it without any Laravel help, like setting up a redis database and storing cookies in there, but I am always open to doing things the Laravel way.

0 likes
1 reply
fylzero's avatar

@limb24 Have you looked at this? https://laravel.com/docs/6.x/api-authentication

You can use basic token auth to get started. Basically the system can create a token to protect you API routes which is bound to a user. No need for usernames and passwords to auth to your API... just pass a token in the request.

Passport provides an oauth implementation which adds an additional layer of security but is a bit more complex to integrate. Basically it binds an access token but also requires you to generate and pull a transaction token for each request. If this is what you are looking to do I suggest watching: https://laracasts.com/series/whats-new-in-laravel-5-3/episodes/13

24 likes

Please or to participate in this conversation.