Laravel Middleware Auth for API

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# Unifying Authentication: Custom Middleware for Flexible API Access in Laravel Developing an API that needs to support multiple authentication schemes—such as traditional session-based authentication alongside modern token-based systems like JWT—is a common requirement. When you need flexibility, trying to force one monolithic authentication check often leads to complex, brittle logic. The solution lies in leveraging Laravel's middleware system by creating a custom gatekeeper that intelligently checks multiple sources of truth. This post will walk you through how to create a custom middleware in Laravel 5.1 that allows an API request to be authenticated if it successfully passes *either* the default Laravel authentication check *or* the Tymon JWT token validation. ## The Strategy: Custom Middleware as an Authentication Broker Instead of trying to jam the logic directly into existing middlewares, the best practice is to create a dedicated middleware layer—an "Authentication Broker"—that orchestrates the checks. This keeps your core authentication logic (session handling vs. JWT decoding) separate from your route definitions, making the system cleaner and more extensible, which aligns perfectly with the robust architecture promoted by the [Laravel Company](https://laravelcompany.com). Our custom middleware will perform sequential checks: 1. **Check 1:** Attempt to validate the request via the standard Laravel session/cookie authentication process (e.g., checking for a valid session). 2. **Check 2:** If Check 1 fails, attempt to validate the request by decoding and verifying the Tymon JWT token provided in the header. 3. **Decision:** If either check yields a successful result, the request is authorized to proceed. ## Implementation Details: The Custom Middleware For this example, we will assume you have configured your application to use session auth and have installed the necessary package for JWT handling. Let's create our custom middleware. ### Step 1: Create the Middleware You would typically use the Artisan command to generate the class: ```bash php artisan make:middleware FlexibleAuthMiddleware ``` ### Step 2: Implement the Logic Inside the `handle` method of your new middleware, you will inject and call the necessary authentication services. Since Laravel 5.1 relies heavily on facade interactions, we can leverage them to perform the checks. Here is a conceptual example demonstrating how the logic flows within the middleware: ```php user() !== null) { // User is authenticated via session return $next($request); } // --- Check 2: Tymon JWT Authentication --- try { $token = $request->header('Authorization'); if ($token) { $payload = JWTAuth::parseToken($token); // If parsing is successful, the user is authenticated via JWT return $next($request); } } catch (\Exception $e) { // Token is invalid or expired, proceed to next check (or fail if no other auth exists) } // If neither method succeeded, deny access return response()->json(['error' => 'Unauthenticated.'], 401); } } ``` ### Step 3: Register the Middleware You must register this new middleware in your `app/Http/Kernel.php` file under the `$middlewareAliases` array so it can be easily invoked on your API routes. ## Conclusion By implementing a custom middleware like `FlexibleAuthMiddleware`, you successfully decouple the authentication mechanism from the route definitions. This approach is highly scalable and adheres to good design principles, allowing your API endpoints to accept valid credentials regardless of whether they originate from a session or a JWT. This flexibility is crucial for building robust APIs on Laravel. Remember that leveraging custom middleware is a powerful way to extend core functionality, making your application more adaptable and powerful, much like the comprehensive tools available through [Laravel Company](https://laravelcompany.com).