Laravel Sanctum – Simple API authentication

Laravel Sanctum is a simple and lightweight authentication system designed specifically for API authentication in Laravel applications. It provides a straightforward way to authenticate users via tokens while being easy to implement and manage. Sanctum is ideal for SPAs (Single Page Applications) or simple mobile applications, where you want to authenticate users using a traditional session or API tokens.

Key Features of Laravel Sanctum:

1. API Token Authentication: Allows users to generate API tokens that can be used to authenticate against your application.
Advertisement
2. SPA Authentication: Supports traditional session-based authentication for SPAs using cookies.
3. Token Scopes: You can define scopes to limit access for different tokens, providing granular control over what users can do with their tokens.
4. Lightweight: Unlike OAuth2 solutions like Passport, Sanctum is much simpler and designed for basic authentication needs.
5. Multiple Token Types: Supports both personal access tokens and simple token authentication for API requests.

Installation

To install and set up Laravel Sanctum, follow these steps:

1. Install Laravel Sanctum: Use Composer to install Sanctum:
   
   composer require laravel/sanctum

   1	composer require laravel/sanctum

2. Run Migrations: Publish the Sanctum migration files and migrate them to create the necessary database tables:
   
   php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider" php artisan migrate

   1 2	php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider" php artisan migrate

3. Add Sanctum Middleware: Add the Sanctum middleware to your api middleware group in the app/Http/Kernel.php file:
   
   protected $middlewareGroups = [ 'api' => [ \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, 'throttle:api', \Illuminate\Routing\Middleware\SubstituteBindings::class, ], ];

   1 2 3 4 5 6 7

   protected $middlewareGroups = [     'api' => [         \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,         'throttle:api',         \Illuminate\Routing\Middleware\SubstituteBindings::class,     ], ];

4. Use HasApiTokens Trait: In your User model (app/Models/User.php), include the HasApiTokens trait:
   
   use Laravel\Sanctum\HasApiTokens; class User extends Authenticatable { use HasApiTokens, Notifiable; }

   1 2 3 4 5 6

   use Laravel\Sanctum\HasApiTokens;   class User extends Authenticatable {     use HasApiTokens, Notifiable; }

5. Configure Authentication Guards: In your config/auth.php, you should set the api guard to use sanctum:
   
   'guards' => [ 'web' => [ 'driver' => 'session', 'provider' => 'users', ], 'api' => [ 'driver' => 'sanctum', 'provider' => 'users', ], ],

   1 2 3 4 5 6 7 8 9 10 11

   'guards' => [     'web' => [         'driver' => 'session',         'provider' => 'users',     ],       'api' => [         'driver' => 'sanctum',         'provider' => 'users',     ], ],

Authentication Process with Sanctum

1. API Token Authentication:

Users can generate tokens for accessing APIs. Here’s how to create and use tokens:

• Creating Tokens: Users can create personal access tokens like this:
  
  $token = $user->createToken('Token Name')->plainTextToken;

  1	$token = $user->createToken('Token Name')->plainTextToken;

• Using Tokens: Use the generated token to authenticate API requests. Simply include it in the Authorization header:

• Example API Request: Here’s how to set up a route and controller method to protect with Sanctum:

2. Session-Based Authentication:

Sanctum also allows session-based authentication for SPAs. Here’s how to set it up:

• Login: When a user logs in, you can create a session:
  
  Route::post('/login', function (Request $request) { $credentials = $request->only('email', 'password'); if (Auth::attempt($credentials)) { return response()->json(['message' => 'Logged in successfully'], 200); } return response()->json(['message' => 'Invalid credentials'], 401); });

  1 2 3 4 5 6 7 8 9

  Route::post('/login', function (Request $request) {     $credentials = $request->only('email', 'password');       if (Auth::attempt($credentials)) {         return response()->json(['message' => 'Logged in successfully'], 200);     }       return response()->json(['message' => 'Invalid credentials'], 401); });

• Logout: Users can log out by invalidating the session:
  
  Route::post('/logout', function (Request $request) { Auth::logout(); return response()->json(['message' => 'Logged out successfully'], 200); });

  1 2 3 4

  Route::post('/logout', function (Request $request) {     Auth::logout();     return response()->json(['message' => 'Logged out successfully'], 200); });

Token Scopes

You can define scopes to provide different permissions for different tokens. Here’s how to implement scopes in Sanctum:

• Defining Scopes: When creating a token, you can define scopes:
  
  $token = $user->createToken('Token Name', ['place-orders'])->plainTextToken;

  1	$token = $user->createToken('Token Name', ['place-orders'])->plainTextToken;

• Protecting Routes: You can protect your routes based on scopes:
  
  Route::middleware('auth:sanctum', 'scope:place-orders')->post('/orders', function (Request $request) { // Logic to place order });

  1 2 3

  Route::middleware('auth:sanctum', 'scope:place-orders')->post('/orders', function (Request $request) {     // Logic to place order });

Summary of Use Cases:

• Single Page Applications (SPAs): Use Sanctum for session-based authentication to maintain a seamless user experience.
• Mobile Applications: Use personal access tokens for API authentication when users access the API via mobile apps.
• API Development: Ideal for simple APIs where you don’t need the complexity of OAuth2.

Conclusion

Laravel Sanctum is a powerful and flexible authentication system that strikes a balance between simplicity and functionality, making it an excellent choice for developers looking to secure their APIs without the overhead of a full OAuth2 server like Passport.

1. Laravel Breeze – Simple authentication starter kit
2. Laravel Jetstream – Scaffolding for Laravel apps
3. Laravel Passport – API authentication via OAuth2
4. Laravel Sanctum – Simple API authentication
5. Spatie Laravel Permission – Role and permission management
6. Laravel Cashier – Subscription billing with Stripe
7. Laravel Scout – Full-text search using Algolia
8. Laravel Socialite – OAuth authentication (Google, Facebook, etc.)
9. Laravel Excel – Excel import and export for Laravel
10. Laravel Horizon – Redis queues monitoring
11. Laravel Nova – Admin panel for Laravel
12. Laravel Fortify – Backend authentication for Laravel
13. Laravel Vapor – Serverless deployment on AWS
14. Laravel Telescope – Debugging assistant for Laravel
15. Laravel Dusk – Browser testing
16. Laravel Mix – API for compiling assets
17. Spatie Laravel Backup – Backup management
18. Laravel Livewire – Building dynamic UIs
19. Spatie Laravel Media Library – Manage media uploads
20. Laravel Excel – Excel spreadsheet handling
21. Laravel Debugbar – Debug tool for Laravel
22. Laravel WebSockets – Real-time communication
23. Spatie Laravel Sitemap – Generate sitemaps
24. Laravel Spark – SaaS scaffolding
25. Laravel Envoy – Task runner for deployment
26. Spatie Laravel Translatable – Multilingual model support
27. Laravel Backpack – Admin panel
28. Laravel AdminLTE – Admin interface template
29. Laravel Collective Forms & HTML – Simplified form and HTML generation
30. Spatie Laravel Analytics – Google Analytics integration
31. Laravel Eloquent Sluggable – Automatically create slugs
32. Laravel Charts – Chart integration
33. Laravel Auditing – Track changes in models
34. Laravel JWT Auth – JSON Web Token authentication
35. Laravel Queue Monitor – Monitor job queues
36. Spatie Laravel Query Builder – Filter, sort, and include relationships in Eloquent queries
37. Laravel Datatables – jQuery Datatables API
38. Laravel Localization – Multilingual support for views and routes
39. Laravel Acl Manager – Access control list manager
40. Laravel Activity Log – Record activity in your app
41. Laravel Roles – Role-based access control
42. Spatie Laravel Tags – Tagging models
43. Laravel Installer – CLI installer for Laravel
44. Laravel Breadcrumbs – Generate breadcrumbs in Laravel
    Advertisement
45. Laravel Mailgun – Mailgun integration for Laravel
46. Laravel Trustup Model History – Store model change history
47. Laravel Deployer – Deployment automation tool
48. Laravel Auth – Custom authentication guards
49. Laravel CORS – Cross-Origin Resource Sharing (CORS) support
50. Laravel Notifications – Send notifications through multiple channels
51. Spatie Laravel Http Logger – Log HTTP requests
52. Laravel Permission Manager – Manage permissions easily
53. Laravel Stubs – Customize default stubs in Laravel
54. Laravel Fast Excel – Speed up Excel exports
55. Laravel Image – Image processing
56. Spatie Laravel Backup Server – Centralize backups for Laravel apps
57. Laravel Forge API – Manage servers through the Forge API
58. Laravel Blade SVG – Use SVGs in Blade templates
59. Laravel Ban – Ban/unban users from your application
60. Laravel API Response – Standardize API responses
61. Laravel SEO – Manage SEO meta tags
62. Laravel Settings – Store and retrieve settings
63. Laravel DOMPDF – Generate PDFs
64. Laravel Turbo – Full-stack framework for building modern web apps
65. Spatie Laravel Event Sourcing – Event sourcing implementation
66. Laravel Jetstream Inertia – Jetstream’s Inertia.js integration
67. Laravel Envoy Tasks – Task automation
68. Laravel Likeable – Like/dislike functionality
69. Laravel GeoIP – Determine visitor’s geographic location
70. Laravel Country State City – Dropdowns for country, state, and city
71. Laravel Hashids – Generate short unique hashes
72. Laravel Repository – Repository pattern for Laravel
73. Laravel UUID – UUID generation for models
74. Spatie Laravel Medialibrary Pro – Enhanced media management
75. Laravel Queue Monitor – Monitor Laravel job queues
76. Laravel User Activity – Monitor user activity
77. Laravel DB Snapshots – Create database snapshots
78. Laravel Twilio – Twilio integration
79. Laravel Roles – Role-based permission handling
80. Laravel Translatable – Add translations to Eloquent models
81. Laravel Teamwork – Manage teams in multi-tenant apps
82. Laravel Full Text Search – Add full-text search to Laravel models
83. Laravel File Manager – File and media management
84. Laravel User Timezones – Automatically detect user time zones
85. Laravel ChartsJS – Render charts with ChartsJS
86. Laravel Stripe – Stripe API integration
87. Laravel PDF Generator – PDF generation
88. Laravel Elasticsearch – Elasticsearch integration
89. Laravel Simple Qrcode – Generate QR codes
90. Laravel Timezone – Manage timezones and conversions
91. Laravel Collective API – API management for Laravel
92. Laravel Rest API Boilerplate – REST API starter kit
93. Laravel Multi Auth – Multi-authentication functionality
94. Laravel Voyager – Admin panel for Laravel
95. Laravel Voyager Database – Database manager for Voyager
96. Laravel Categories – Handle categories for models
97. Laravel Multitenancy – Multi-tenancy implementation
98. Laravel Access Control – Advanced access control for users
99. Laravel Menus – Menu management
100. Laravel Translatable Routes – Multilingual route handling