This comparison shows two common ways to connect a browser UI with backend microservices.
Both are valid, but they solve different problems.
---
Variant A: PHP Secure Proxy (Gateway Pattern)
βββββββββββββ
β Browser β
β (Session) β
βββββββ¬ββββββ
β JSON (report, params)
βΌ
βββββββββββββββββ
β PHP Proxy β
βββββββββββββββββ
β - Session β
β - Roles β
β - Validation β
β - Audit log β
βββββββ¬ββββββββββ
β JSON + service token
βΌ
ββββββββββββββββββββββ
β Harbour Microserviceβ
ββββββββββββββββββββββ
β - Business logic β
β - DBF access β
β - No user login β
ββββββββββββββββββββββCore idea:
PHP acts as the authority and security boundary.
---
Variant B: JWT Direct Access
βββββββββββββ
β Browser β
β (JWT) β
βββββββ¬ββββββ
β JSON + JWT
βΌ
ββββββββββββββββββββββ
β Harbour Microserviceβ
ββββββββββββββββββββββ
β - JWT validation β
β - Role checks β
β - Business logic β
β - DBF access β
ββββββββββββββββββββββCore idea:
---
Visual comparison (simplified)
PHP Proxy:
[Browser] β [Central Control] β [Services]
JWT:
[Browser + Trust] β [Services]---
One-sentence explanation
With a PHP Secure Proxy, authority is centralized in the gateway;
with JWT, authority is decentralized and carried by the token.
---
When each model fits best
PHP Secure Proxy
- internal or controlled systems
- ERP / hotel software / industry solutions
- legacy backends (DBF, C, Harbour)
- strong audit and traceability requirements
- clear security boundary
JWT
- public APIs
- mobile apps
- many independent services
- fully stateless architectures
- maximum horizontal scalability
---
Important note: not an βeither/orβ
These approaches do not exclude each other.
A common hybrid model:
- PHP Secure Proxy at the edge
- JWT or shared secrets inside the service layer
---
Conclusion
JWT primarily solves a distribution and scaling problem.
A PHP Secure Proxy primarily solves a control, security, and auditability problem.
The better choice depends on system context, not on trends.
For administrative software, a PHP Secure Proxy often feels simpler and more elegant. It centralizes control, embraces state where it already exists, and allows backend services to focus purely on business logic instead of authentication mechanics. Thatβs why I chose this approach for WINHOTEL Gold Edition.