So basically I understand REST API is basically stateless and we should not use session based authentication of API Routes. However, let’s say if my application already has a session based authentication because it is a SPA. So I have a few questions.
-
How do we actually protect these api routes without using session, so that we can actually test these api routes on Postman etc ?
-
How can we achieve this without effecting the existing authentication system ?
-
Do we need to use Passport or Sanctum to achieve this?
Thank you.
2
Answers
If your SPA and API are on the same domain, you likely want Sanctum which uses sessions via cookies or tokens to manage authentication. Based on your question it seems like Sanctum would be the best fit for integrating with your existing authentication workflow.
If your SPA is not on the same domain as your API you’ll want to use either Fortify or Passport.
I would avoid Passport unless you require an OAuth workflow.
Either you can create a your custom authentication using JWT token in laravel to authenticate the API. For that you can use tymondesigns/jwt-auth a third-party jwt-auth library.