Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, I'm writing an API that contains a set of public/private endpoints using Laravel (6) and Passport.
However, I have a use case where a second application will need access to the same endpoints, PLUS a set of new endpoints that should only be available to the second application. It's all contained within the same API but these need to be locked down to very specific users.
I was thinking about scopes, but that appears to let any user who requests that scope access the endpoint. I need the actual endpoint itself to be inaccessible to specific users. Is this something Passport can do for me, or is there something in Laravel to handle this?
If not, then is this something I should implement manually? (I.E create an access table that defines what users, or roles, have rights to access which endpoints)
Don't want to re-invent the wheel if Laravel or Passport already has this covered. Thanks!
@simonw Passport is just an OAuth server implementation. Users request tokens, tokens are then used to authorise a user making a request. Any permission-checking will need to be handled by your application.
For the second application, you should create a second OAuth client. If you know the users up-front that should only be able to make requests via that client (application), then you could write some middleware that requests any requests to a user not in your allow-list.
I see, it's actually a second app that will have users log in and those users could be anyone. Their credentials are used to access the api. We are trying to hide some internal API routes that aren't really needed outside of the second app. They're really in place just to support the second app but it means that if somebody knew the endpoints they could easily just access them. They wouldn't be able to cause damage if people knew them, I think I just don't like the idea of them being accessible by anybody as they're really supposed to be just support routes for the second app.
I can just leave it be and not document it so its largely unknown. My thought was to just have them inaccessible unless called from second app but thats pretty hard when its the user themselves that logs in to authenticate the API .
Thinking about your middleware solution, I could do a half measure here and only allow access to the route if the user logs in (and the app 2 authenticates using its own client/secret) via middleware. That middleware can just be applied to those routes that are restricted to app 2. Doesn't fully stop access, but it means someone would have to connect to the API knowing that client id and secret specifically.
Please or to participate in this conversation.