Why laravel creates token on each request?

Question

I have the following code which utilizes Laravel Passport:

if(Auth::attempt($input, true)) {
    return \Auth::user()->createToken(Auth::user()->name, []);
}

So, when user logins every time, Laravel creates token over and over again. If this goes on happening, then database will overload for sure. Maybe I haven't yet understood how API Auth works.

Is there a way to prevent Laravel from doing this or is this what is to be expected?

Answer 1

The traditional process of interacting with a website is that you login from the login page. Next, you perform you desired actions and then log out. However, in the case of REST API, the process is quite different. The traditional procedure does not work in the case of RESTful APIs because the methods used on login page does not make any sense. You need to use api_token instead.

All you need to do is to append the api_token to the query string before making a request and the request is authenticated.

Now what Laravel 5.5 offers is quite interesting! You can easily implement this idea using the Passport library.

Answer 2

Unlike in a regular web app context, where you have sessions which preserve (logged in) state, a (RESTful) API is generally expected to be stateless. That means that a request would not have to depend on requests that happened previously. Everything necessary for a request, including authentication and authorization, should be handled in each separate request.

For more details see Cassio Mazzochi Molin's explanation of stateless Restful applications.

Kind regards,

Draco