How to redirect passing data without using query parameters in PHP?

I have an application that works as the following:

• index.html loads index.js
• index.js looks for a token on local storage, doesn't find it and redirects to auth.php using window.location.href = "auth.php";
• auth.php redirects to external-api.com using header("Location: external-api.com/login");
• the user logs in on their platform, which redirects back to auth.php with a code using get request
• auth.php then makes a post to external-api.com with that code and a few more params, and receives a response with an actual access token
• auth.php redirects back to index.html using header("Location: index.html?token=".$token);

However, is there a way to redirect back passing data without using query parameters?

Your question is a little unclear because you mention token multiple times, but there are 2 different tokens + a 'code'.

1. Local storage token
2. external-api sends user to auth.php?code=some_code
3. auth.php sends POST request to external-api & gets ACCESS TOKEN

I doubt you can hide the code in step 2 (would depend on how the external API works) & you can't hide the token in step 1 (because it is in local storage, on the client machine). So, I assume you're trying to hide the ACCESS TOKEN received from the POST request to external-api, when redirecting back to index.html

So, assuming the only place you need to hide the token is during header("Location: index.html?token=".$token);, then you can use $_SESSION['token'] = $token, then just use header("Location: index.html); and retrieve $_SESSION['token'] during the request to index.html

Also, you could map the ACCESS TOKEN to an internal code, & pass the internal code to the user. That way, the user could not directly request user information from external-api.

You might be interested in https://stackoverflow.com/questions/5576619/php-redirect-with-post-data/55852737#55852737, where I further detail the $_SESSION approach.