From the start, the GetCandy API has been married to Laravel Passport. As technology evolves it's obvious that different API authentication approaches become available and depending on the requirements of your project you may or may not need something as beefy as Passport.
For example, Taylor has released Laravel Sanctum which will probably suit the needs of a lot of developers who want to use GetCandy.
As it stood this would have been difficult as Passport was a core dependancy of the API and the middleware was fully embedded into the core. Painful, considering we're all about giving you ultimate flexibility in how you built your online store.
This is also true if you wanted to just use JWT token authentication, the API shouldn't care where the authenticated user came from or how they got there, only that they are authenticated where needed.
Which is why in the next beta release tag we will be stripping out Passport and providing guides on how you could authenticate your API. But ultimately we're leaving it up to you.
https://guides.getcandy.io/api/protecting-routes
https://guides.getcandy.io/getting-started/api/installation#protecting-routes
If you have any thoughts on this I'd be good to hear them.