Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

DevMaster_KS's avatar

Is personal access token good for api?

I have a Laravel Vue SPA application and I'm using Sanctum for authentication. The issue is that the APIs I'm using will be shared with other developers, meaning they will access my API using an Authorization Bearer token generated from a personal access token. Is it secure to use the createToken() method to generate personal access tokens for external API access? Any suggestions would be appreciated.

0 likes
4 replies
jlrdw's avatar

That is how sanctum works:

https://laravel.com/docs/11.x/sanctum#issuing-api-tokens

For a more general API where others use it but write their own front end have you considered passport?

Edit:

But even in sanctum they are free to get the data how they wish as far as the front end method used. And also how they handle the returned JSON, they write their own code.

Another api post I bookmarked is https://laracasts.com/discuss/channels/general-discussion/flow-of-an-api

DevMaster_KS's avatar

For my situation, using Sanctum for a Single Page Application (SPA) is a good choice, but when it comes to giving external developers access to my API, would it be better to switch to Passport?

I’ve created an API and shared it with other developers. To access the API, I provided them with a Personal Access Token generated using createToken(). In this case, would it be better to use Passport, or should I continue using the personal access tokens from Sanctum?

Thanks, @jlrdw.

jlrdw's avatar
jlrdw
1 year ago
Best Answer
Level 75

@DevMaster_KS

but when it comes to providing access to my API for other developers

Do you mean to use the data on their site?

If that's what you mean, sanctum is fine. All they get is JSON returned data, right?

A good API should only return the needed data. The developer of that site determines who uses the api on their end with their authentication.

Like in a doctors office:

The initial attendant has access to enter vitals, but no results.

The doctor or nurse can get lab results from an API to discuss with you.

Their developer handled all of that, not you. Your API just gives the requested data.

I admit I have never dwelt with an SPA, but have dwelt with API's.

Note there are hundreds of different ways API's are done.

Edit:

I suggest to not try to make an API like a web app.

  • Let a web app be for many users interactions like a forum or Amazon shopping
  • Let an API be for returning needed data to a user or organization like weather forcast

Probably 85% of the api questions are better suited to be regular web apps that are responsive (mobile friendly).

1 like
DevMaster_KS's avatar

@jlrdw Yes, they will only receive JSON responses and manage the APIs for CRUD operations. In short, they’ll only interact with JSON data, and they can update that data as well. There aren't any complex operations involved. Perfect, thanks!

Please or to participate in this conversation.