Basic auth is only secure over HTTPS, same as OAuth 2. Passing the username and password as Basic Auth every time (since RESTful APIs should be stateless, therefore creating a session isn't the way to go) is a fair approach, but it means likely having to store the user's username and password, not ideal. A similar approach is to exchange the username and password for a generated API key which acts like a session, and provide that key as a header (like X-API-Key) for every request (fulfilling the stateless requirement) -- or another common way is providing it as the username for Basic auth, and accessing it using Request::getUser().

It's not inherently flawed, just be careful to use HTTPS for production and store the username/password safely on the client, or better yet use short-lived API keys.

Implementing an OAuth 2 server is going to be better, but also more complex.

So the best way to go is with an OAuth 2 server?

In here you have an implemetation for laravel, but you will need use HTTPS

https://github.com/lucadegasperi/oauth2-server-laravel

This library for Laravel 4 uses API key authentication on your controllers:

https://github.com/chrisbjr/api-guard

You would typically put your API key as part of your header - preferably the "Authorization" header so it would be encrypted when using HTTPS/SSL.

A better method of authenticating token in Laravel REST API is by using Laravel Passport (https://www.cloudways.com/blog/rest-api-laravel-passport-authe... ). It is a package that makes the authentication much easier and quicker. Passport provides a full OAuth2 server implementation for Laravel applications.