Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I'm using default Laravel Jetstream / Sanctum and it's implementation of Bearer Token in the Auth header but...
I'm developing an in-between API for a really old SOAP government service which mashes together different resources and resource actions in ways that only government can get away with.
The problem in search of a solution (or is it the other way around) that I am working on is the gov service needs me to pass on the end users government registered email and password, along with a separate ID.
The ID I can jam into the URL like GET /v1/resource/{id}/details
But trying to incorporate the email/password is proving harder than Google's first page.
I can flip it to a POST and pass along all this, but don't really want that. I can encrypt these details into my Laravel DB, but the gov password changes every month so it would a horrible UX to force them to update it at my end as well ( I also don't really want them to login to my system, only to use my API ).
I'm not sure I want to use a X-Auth header as that wouldn't be respected like the default HTTP Authentication header.
What solutions has the chatGTP trainers forum come up with?
Running some tests Laravel seems happy if I comma separate my Authorization header values.
E.g. "Bearer ABCTOKEN,Basic BASE64EFG"
It Auths, $request->bearerToken() returns the token only, and $request->hasHeader('Authorization') returns the full string which I can explode, trim the Basic and base64_decode.
The big brain question is... am I reinventing the wheel and exposing vulnerabilities?
Please or to participate in this conversation.