I have a Laravel web application for a restaurant with its own user base. I have another web application for a bookstore with its own different user base.
I would like to create a third application (mostly API, probably using Lumen) that can create accounting records from both the restaurant and the bookstore on every transaction that is made (i.e. when I sell any food, make a POST request to this API to insert a record, and do the same if I sell a book).
How can I guarantee that only authorized users from my web apps (any user) can make requests to my API, without asking them for any additional password?
This is a typical use case for the client credentials grant tokens oauth flow.
From the laravel passport documentation:
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.