Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

JeremyL's avatar

Desktop + Web App API Support? (Passport?)

I've been tasked with creating a JS application that will be compatible with Electron for a future phase (desktop app) and requires a backend API. I'm a Laravel fullstack developer, but this will require me to separate concerns and I have been trying to land on a tech stack but have some questions.

My current plan is to use: Vue (3 Vite) Frontend Electron for the desktop app. NestJS or Laravel Backend.

Laravel is my preference, but I'm looking for guidance as to what I should use for this. Sanctum appears to be out, specifically for CORS reasons. I was wondering if anyone has accomplished something similar, possibly with Passport.

Note: I specifically need to use Electron when creating the desktop app.

0 likes
4 replies
martinbean's avatar

@jeremyl Passport adds an OAuth server to your application. So yes, you could create an OAuth client for your Electron app, in order to obtain OAuth access tokens for users.

JeremyL's avatar

@martinbean So this would be opposed to using Code Grant correct?

What's the suggested method for Auth on my Javascript app hitting the Laravel API?

Thank you!

martinbean's avatar

@JeremyL I don’t really understand the question? You would use the an authorization code grant with PKCE client for your Electron app. The Passport docs have descriptions of each grant and what they should be used for. From https://laravel.com/docs/passport#code-grant-pkce:

The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications or native applications to access your API.

An Electron app would be classed as a native application.

You should also be creating separate clients for separate, well, clients that will hitting your API. So your JavaScript app would have its own client, as would the Electron app.

You can also mark these clients as “first party” (https://laravel.com/docs/passport#approving-the-request) so that when the user logs in on the back-end, they’re just automatically redirected back to the client with an OAuth token rather than getting a “Client X is requesting permission to access your account” authorisation screen, as it’s a bit pointless to ask a user if an official ACME app is requesting permission to access their ACME account.

Please or to participate in this conversation.