Using the same controller actions for external and internal API


I am currently using Guardian to authenticate my client-side react app with JWTs

I have two problems.

  1. I’d like use multiple subdomains. Saving the JWT in localstorage does not work for this as it is not cross-domain. Instead I am contemplating saving the JWT inside a cookie instead.
  2. I’d like to use the same controller actions as in 1. for my public-facing API, but instead use a access token approach in this case.

So what is a good way to have different auth schemes, while reusing controllers?

Is it kind of like is where you sign them up. Then once they sign up, you log them in at and then redirect them to So that’s where you hit that localstorage jwt problem?

Would it be easier to have them sign up at… then you create and forward them there where they’re hit with a login screen.

Then when they login via you can store the JWT in localstorage there? Instead of

You could keep a cookie so you know what subdomains that user has… but force them to login at their subdomain so you can keep the jwt in local storage.

I don’t think there’s anything wrong with storing JWT in a cookie. Cookies and localstorage suffers from the same XSS vulnerabilities, and as long as you’re not sending the token by default with every request you should be safe from CSRF. The only difference would then be the size of the storage (localstorage can store bigger-sized content). With cookie you also gain the cross-domain capability.

For number 2, I think it’s only a case of defining a pipeline and scope. I never tried it, but I assume Phoenix router would allow different routes to have the same handler function?

You’re right, Phoenix router with pipelines and scopes worked perfectly.

Only problem I am having now is that Guardian does not seem to allow authenticating sockets using the cookie, as you must explicitly pass in the JWT on connection