Laravel Sanctum – Simple API authentication

Laravel Sanctum is a simple and lightweight authentication system designed specifically for API authentication in Laravel applications. It provides a straightforward way to authenticate users via tokens while being easy to implement and manage. Sanctum is ideal for SPAs (Single Page Applications) or simple mobile applications, where you want to authenticate users using a traditional session or API tokens.

Key Features of Laravel Sanctum:

  1. API Token Authentication: Allows users to generate API tokens that can be used to authenticate against your application.
  2. SPA Authentication: Supports traditional session-based authentication for SPAs using cookies.
  3. Token Scopes: You can define scopes to limit access for different tokens, providing granular control over what users can do with their tokens.
  4. Lightweight: Unlike OAuth2 solutions like Passport, Sanctum is much simpler and designed for basic authentication needs.
  5. Multiple Token Types: Supports both personal access tokens and simple token authentication for API requests.

Installation

To install and set up Laravel Sanctum, follow these steps:

  1. Install Laravel Sanctum: Use Composer to install Sanctum:
  2. Run Migrations: Publish the Sanctum migration files and migrate them to create the necessary database tables:
  3. Add Sanctum Middleware: Add the Sanctum middleware to your api middleware group in the app/Http/Kernel.php file:
  4. Use HasApiTokens Trait: In your User model (app/Models/User.php), include the HasApiTokens trait:
  5. Configure Authentication Guards: In your config/auth.php, you should set the api guard to use sanctum:

Authentication Process with Sanctum

1. API Token Authentication:

Users can generate tokens for accessing APIs. Here’s how to create and use tokens:

  • Creating Tokens: Users can create personal access tokens like this:
  • Using Tokens: Use the generated token to authenticate API requests. Simply include it in the Authorization header:
  • Example API Request: Here’s how to set up a route and controller method to protect with Sanctum:

2. Session-Based Authentication:

Sanctum also allows session-based authentication for SPAs. Here’s how to set it up:

  • Login: When a user logs in, you can create a session:
  • Logout: Users can log out by invalidating the session:

Token Scopes

You can define scopes to provide different permissions for different tokens. Here’s how to implement scopes in Sanctum:

  • Defining Scopes: When creating a token, you can define scopes:
  • Protecting Routes: You can protect your routes based on scopes:

Summary of Use Cases:

  • Single Page Applications (SPAs): Use Sanctum for session-based authentication to maintain a seamless user experience.
  • Mobile Applications: Use personal access tokens for API authentication when users access the API via mobile apps.
  • API Development: Ideal for simple APIs where you don’t need the complexity of OAuth2.

Conclusion

Laravel Sanctum is a powerful and flexible authentication system that strikes a balance between simplicity and functionality, making it an excellent choice for developers looking to secure their APIs without the overhead of a full OAuth2 server like Passport.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top