Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

lara111629's avatar

API Authentication

Hi,

Using Laravel to create an API. The frontend makes requests to the API to obtain things such as product data, etc. and displays the data to the page (not an SPA but same principles). I'm looking to further develop the API to allow POST/PUT requests, but need to understand the best way to secure these routes.

I've looked at passport and installed it, but my application doesn't have users, therefore I cannot authenticate a user and use the CreateFreshApiToken middleware, obtaining the web token without Auth::login on every request.... which seems silly.

How can I protect these routes from Joe Bloggs, but allow the requests to only be made from the server?

Many thanks in advance,

0 likes
5 replies
jeffreyvanrossum's avatar

I'm not sure I completely understand, but maybe you could look into using the CSRF-token for this? This token is used to determine the request is coming from the app itself, and not from an external source.

https://laravel.com/docs/6.x/csrf

bugsysha's avatar

If it is going to be only server to server communication then you do not need anything more complex that what is described here https://laravel.com/docs/6.x/api-authentication

Schema::table('users', function ($table) {
    $table->string('api_token', 80)->after('password')
                        ->unique()
                        ->nullable()
                        ->default(null);
});

Set api_token field with \Illuminate\Support\Str::random(80).

Then just use following to CRUD resources

$response = $client->request('POST', '/api/user', [
    'headers' => [
        'Authorization' => 'Bearer '.$token,
        'Accept' => 'application/json',
    ],
]);

Also note that you can hash those tokens on users table. Everything is well described on that page.

lara111629's avatar

Many thanks for getting back to me and apologies for the confusion on my part.

Essentially what I am trying to achieve is a way to protect the API routes from being viewed in a browser by anyone else other than the server. We've got a products page that on page load, fires off a GET request to /api/products, loads the products and displays them to the page.

What I want to avoid is anyone being able to go to /api/products in the browser and viewing them in JSON form (I'm aware the content in the JSON response will be shown on the page anyway - this is just a simple example).

Using the simple API authentication Laravel ships with (api_token) works great for this, but the token can be viewed in the JS calling the /api/products route.

This is just an example with a GET request. However, I'd also want to protect it from POST requests, for example, such as allowing the frontend (JS) to create a product using the POST /api/products endpoint.

Hope this makes more sense.

bugsysha's avatar

Using the simple API authentication Laravel ships with (api_token) works great for this, but the token can be viewed in the JS calling the /api/products route

No it can not be viewed in JS so do not worry about that.

lara111629's avatar

Sorry, I'm confusing things once again. The API token, from the axios request, would be visible in the markup. Therefore someone could take the token and use it in something like Postman and run a POST/PUT request etc.

Please or to participate in this conversation.