Laravel API auth with jetstream / sanctum

Long story short, does anyone know how to embed API requests into blade without having to included the bearer token (personal access token) in the page source? I'm guessing it's not best practice to embed a token in the page source, even for first party.

Currently the only way I can make API requests with auth work is by using an extension to alpine.js that lets me add attributes to my links in blade files like:

@click="$post({route: '/api/my-route', headers: {Authorization: 'Bearer {{ config('app.api_token') }}'} })"

But this ends up rendering in the page source of course (and if it didn't, it would be in some javascript source somewhere). Is there a better alternative for embedding links like this?

jlrdw

1 year ago

Level 75

See https://laravel.com/docs/11.x/sanctum#issuing-api-tokens

Or use a controller.

1 like

daveb2

1 year ago

Level 3

Thanks @jlrdw , I've been through all the token auth stuff in the documentation and successfully created and authenticated against tokens, but only by sending them in the header. I guess token auth is not what I want.

In the end I just gave up and switched to a regular web route via auth:sanctum and put the code in a service, and I can just use if (auth()->user()->can()) which even I can manage.

I find the whole method of authenticating via api tokens to be very confusing (granted I'm probably very dumb). I found the docs to be full of info on how to create and manage tokens, but not how to actually use the darn things (at least, not that was clear to me). If there could just be a simple example of what a token-authenticated route definition should look like added to the docs, that would be great.

Please or to participate in this conversation.