Basically, Laravel provides you an easy way to create a basic authentication system with login/register like a normal website. This is stated here: https://laravel.com/docs/5.7/authentication and copying files from vendor/laravel/… is a bad idea, so Laravel has a command called
php artisan make:auth which does that and does it properly.
To make you understand what’s going on with the user/password thing and the api_token are two different things.
Choose the way you want to authenticate users:
- Via classic, username & pasword way, without generating any tokens: this is the simpliest way to authenticate users. Users register, and then use the same user/password combination at login. When the credentials are correct, Laravel sets a session that is either stored into a cookie, file, Redis or wherever you want to save it.
- Via a token for stateless apps. Let’s say you work with React/Angular/Vue where you cannot store secret information in the frontend. So you’ll have to make the user authenticate with your username and password, generate a token in the backend and pass the token to the frontend. At that point, you should pass that token to any endpoint. When passed, the server knows that that token belongs to the User with ID X and knows how he is when it’s making a request. Tokens are easily revokable and no credential is shown.
Laravel Passport has a route that helps you generate a token with user email and password and an app secret and id (which are generated within your backend): https://laravel.com/docs/5.7/passport#password-grant-tokens