Support the ongoing development of Laravel.io →
Authentication Session Eloquent

Hello,

What's the best model for authentication in REST services, I have been checking out this tutorial: http://code.tutsplus.com/tutorials/laravel-4-a-start-at-a-restful-api-updated--net-29785 but it appears to me that this is a bad authentication method.

I am creating an API for an app, each user has to login to its account in the server so ti can admin his own information,

What is a good practice for authentication?

In the mencioned before tutorial it just stablish that with user:user_pass in the CURL is enough but I am worried that thsi is an insecure method...

Any ideas on what to do?

Last updated 3 years ago.
0

Basic auth is only secure over HTTPS, same as OAuth 2. Passing the username and password as Basic Auth every time (since RESTful APIs should be stateless, therefore creating a session isn't the way to go) is a fair approach, but it means likely having to store the user's username and password, not ideal. A similar approach is to exchange the username and password for a generated API key which acts like a session, and provide that key as a header (like X-API-Key) for every request (fulfilling the stateless requirement) -- or another common way is providing it as the username for Basic auth, and accessing it using Request::getUser().

It's not inherently flawed, just be careful to use HTTPS for production and store the username/password safely on the client, or better yet use short-lived API keys.

Implementing an OAuth 2 server is going to be better, but also more complex.

Last updated 3 years ago.
0

So the best way to go is with an OAuth 2 server?

Last updated 3 years ago.
0

In here you have an implemetation for laravel, but you will need use HTTPS

https://github.com/lucadegasperi/oauth2-server-laravel

Last updated 3 years ago.
0

This library for Laravel 4 uses API key authentication on your controllers:

https://github.com/chrisbjr/api-guard

You would typically put your API key as part of your header - preferably the "Authorization" header so it would be encrypted when using HTTPS/SSL.

Last updated 3 years ago.
0

A better method of authenticating token in Laravel REST API is by using Laravel Passport (https://www.cloudways.com/blog/rest-api-laravel-passport-authentication/ ). It is a package that makes the authentication much easier and quicker. Passport provides a full OAuth2 server implementation for Laravel applications.

0

Sign in to participate in this thread!

Eventy

Your banner here too?

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2025 Laravel.io - All rights reserved.