Reputation: 905
How to handle authorization for a non-user based Laravel API?
I have a Laravel web application for a restaurant with its own user base. I have another web application for a bookstore with its own different user base.
I would like to create a third application (mostly API, probably using Lumen) that can create accounting records from both the restaurant and the bookstore on every transaction that is made (i.e. when I sell any food, make a POST request to this API to insert a record, and do the same if I sell a book).
How can I guarantee that only authorized users from my web apps (any user) can make requests to my API, without asking them for any additional password?
Upvotes: 2
Views: 2454
Answers (2)
Reputation: 18197
This is a typical use case for the client credentials grant tokens oauth flow.
From the laravel passport documentation:
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.
Upvotes: 4
Reputation: 443
You can create an api-key for each user that has to be present in the post request's header. There should be a table in the API that has these keys stored with the corresponding user_id.
As such you can identify each user based on the given api-key.
Upvotes: 2
Related Questions
- How do we implement custom API-only authentication in Laravel
- Custom user authentication base on the response of an API call
- How to authorization user in laravel?
- API authentication for Ajax/Axios requests in a Laravel app?
- Laravel api authentication - how do I get User by api_token
- Laravel use auth()->user() for api
- Laravel 5.4 - Get user data without log-in (for API)
- Auth and user management in laravel rest api
- How to authenticate API requests in Laravel?
- Authenticating an API call from Laravel