Evytor Daily

Laravel Sanctum API Authentication

By Evytor DailyAugust 7, 2025Programming / Developer

🎯 Summary

Laravel Sanctum provides a feather-light authentication system specifically designed for Single Page Applications (SPAs), mobile applications, and simple APIs. It allows your Laravel backend to issue API tokens that grant access to specific routes or resources. This article dives deep into Laravel Sanctum, offering a step-by-step guide on setting it up, configuring it, and utilizing its features for robust API authentication. Securing your application's API endpoints is crucial, and Sanctum offers a simple yet powerful solution.

Understanding Laravel Sanctum

What is Sanctum?

Sanctum, previously known as Laravel Airlock, is a package that provides a simple way to authenticate Single Page Applications (SPAs), mobile applications, and token-based APIs. It uses personal access tokens, allowing users to generate multiple tokens with varying scopes to control access to their data.

Why Use Sanctum?

Traditional session-based authentication can be cumbersome for APIs. Sanctum simplifies the process by offering token-based authentication that's easy to implement and manage. It's especially useful when you need fine-grained control over API access, allowing you to specify abilities or scopes for each token.

Setting Up Laravel Sanctum

Installation

First, install the Sanctum package using Composer. Open your terminal and run the following command:

composer require laravel/sanctum

Configuration

After installing the package, publish the configuration and migration files:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Next, run the migrations to create the necessary database tables:

php artisan migrate

Finally, add the Sanctum::personalAccessToken() call to your App\Models\User model:

use Laravel\Sanctum\HasApiTokens;  class User extends Authenticatable {     use HasApiTokens, Notifiable;      // ... }

Using Sanctum for API Authentication

Issuing API Tokens

To issue API tokens, you can use the createToken method on the user model. This method returns a plain text token that the user can use to authenticate future API requests.

$token = $user->createToken('my-app-token')->plainTextToken;  return ['token' => $token];

Protecting API Routes

To protect API routes using Sanctum, you can use the auth:sanctum middleware. This middleware will ensure that incoming requests have a valid API token.

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {     return $request->user(); });

Token Abilities (Scopes)

Sanctum allows you to define abilities or scopes for each token, giving you fine-grained control over what each token can access. For example:

$token = $user->createToken('my-app-token', ['server:update'])->plainTextToken;

Then, in your routes, you can check if the token has the required ability:

Route::middleware(['auth:sanctum', 'ability:server:update'])->post('/servers/{server}/update', function (Server $server) {     // Update the server... });

Sanctum with Single Page Applications (SPAs)

Sanctum is particularly well-suited for SPAs that authenticate with a Laravel backend. Here’s how to set it up:

CSRF Protection

Sanctum provides built-in CSRF protection for SPAs. When your SPA makes its first request to the Laravel backend, Sanctum will set a XSRF-TOKEN cookie. You should configure your SPA to send this cookie with all subsequent requests.

Authentication Flow

  1. SPA makes a request to /sanctum/csrf-cookie to get the CSRF token.
  2. SPA sends the CSRF token in the X-XSRF-TOKEN header with subsequent requests.
  3. Laravel backend authenticates the user using Sanctum's cookie-based authentication.

Practical Examples and Code Snippets

Example 1: Creating a new API Token for a User

This example demonstrates how to generate a new API token for a user through a controller method.

namespace App\Http\Controllers;  use Illuminate\Http\Request; use App\Models\User;  class ApiTokenController extends Controller {     public function generateToken(Request $request)     {         $user = $request->user(); // Assuming user is authenticated         $token = $user->createToken('api-token')->plainTextToken;          return response()->json(['token' => $token]);     } }

Example 2: Protecting an API Endpoint

Here's how you protect an API endpoint using the auth:sanctum middleware.

Route::middleware('auth:sanctum')->get('/profile', function (Request $request) {     return $request->user(); });

Example 3: Revoking Tokens

To revoke a token, you can use the tokens() relationship on the User model to access and delete tokens.

$user = $request->user(); $user->tokens()->where('id', $tokenId)->delete();

Best Practices for Secure API Authentication with Sanctum

  • ✅ Always use HTTPS to protect your API tokens during transmission.
  • Implement proper input validation to prevent injection attacks.
  • ✅ Regularly rotate API tokens to minimize the impact of compromised tokens.
  • Limit the scope of each token to the minimum required permissions.
  • ✅ Store API tokens securely on the client-side (e.g., using secure storage mechanisms).
  • ✅ Implement rate limiting to prevent abuse and brute-force attacks.
  • ✅ Monitor API usage for suspicious activity and potential security breaches.

Advanced Sanctum Features

Customizing Token Expiration

You can customize the expiration time of API tokens by modifying the expiration configuration option in the config/sanctum.php file.

Using Sanctum with Mobile Applications

Sanctum can be used to authenticate mobile applications by issuing API tokens to users who log in through the mobile app. The mobile app can then use these tokens to authenticate future API requests.

Handling Token Refresh

To improve security, you can implement a token refresh mechanism that allows users to refresh their API tokens without having to re-authenticate. This can be done by issuing refresh tokens along with the API tokens.

Troubleshooting Common Issues

Issue: 401 Unauthorized Error

This error typically occurs when the API token is missing or invalid. Ensure that you are sending the token in the Authorization header with the Bearer scheme. Also, verify that the token has not expired or been revoked.

Issue: CSRF Token Mismatch

This error can occur when using Sanctum with SPAs. Ensure that you are sending the X-XSRF-TOKEN header with all requests and that the CSRF cookie is properly set.

Issue: Token Not Being Saved

Make sure you have run the migrations after installing Sanctum. The tokens are stored in the database, and the migration creates the necessary table.

Testing Your Sanctum Implementation

Writing tests for your Sanctum implementation is crucial to ensure that your API authentication is working correctly. Here's an example of how to write a test to check if a protected route is accessible with a valid token.

namespace Tests\Feature;  use Illuminate\Foundation\Testing\RefreshDatabase; use Tests\TestCase; use App\Models\User; use Laravel\Sanctum\Sanctum;  class SanctumAuthTest extends TestCase {     use RefreshDatabase;      public function test_protected_route_accessible_with_valid_token()     {         $user = User::factory()->create();         Sanctum::actingAs(             $user,             ['*']         );          $response = $this->getJson('/api/protected');          $response->assertStatus(200);     } }

Remember to define your protected route in routes/api.php:

Route::middleware('auth:sanctum')->get('/protected', function () {     return response()->json(['message' => 'Protected Route']); });

💻 Code Snippets and Commands

Node Command

To install a package via npm:

npm install axios

Linux Command

To view the contents of a directory:

ls -l

CMD Command

To check the version of your OS:

ver

🔧 Debugging Tips and Tricks

Debugging can be tricky. Here are some tips for tackling common Sanctum issues:

  1. Check your .env file: Ensure your database configurations are correct.
  2. Clear your cache: Use php artisan config:cache and php artisan cache:clear.
  3. Inspect your database: Verify that the personal_access_tokens table exists and has the correct structure.
  4. Use debuggers: Implement dd() (dump and die) in your code to inspect variables and execution flow.

For example, if you're having trouble with middleware, use:

dd($request->header('Authorization'));

to inspect the authorization header directly.

🚀 Optimizing Sanctum for Production

Once you're ready to deploy your application to production, consider the following optimizations:

  • Cache your configurations: Run php artisan config:cache to optimize performance.
  • Use a CDN: Serve static assets via a Content Delivery Network to improve loading times.
  • Monitor your API: Implement monitoring and alerting to detect and respond to issues quickly.

Interactive Code Sandbox

Experiment with Sanctum in a safe environment using an online code sandbox. Below is a simple example to test token creation.

Unfortunately, embedding a fully functional Laravel environment isn't feasible, but you can simulate the behavior using PHP snippets within an HTML environment.

<!-- Simulated PHP code (not executable) --> <?php   // Simulate user authentication   $user = ['id' => 1, 'name' => 'Test User'];    // Simulate token creation   $token = md5(uniqid() . $user['id']);    echo "<p>User: " . $user['name'] . "</p>";   echo "<p>Token: " . $token . "</p>"; ?>

For a real environment, consider using services like Laravel Vapor or a local Docker setup.

Final Thoughts

Laravel Sanctum provides an excellent solution for API authentication, especially for SPAs and mobile applications. By following the steps and best practices outlined in this article, you can ensure that your APIs are secure and protected from unauthorized access. Remember to regularly review and update your authentication strategy to stay ahead of potential security threats.

Keywords

Laravel, Sanctum, API Authentication, Token-based Authentication, SPA, Single Page Application, API Security, Laravel Sanctum, OAuth, API Tokens, Authentication Middleware, CSRF Protection, Laravel API, Mobile App Authentication, Sanctum Scopes, Sanctum Abilities, API Security Best Practices, Token Revocation, API Testing, Sanctum Configuration

Popular Hashtags

#Laravel, #Sanctum, #APIAuthentication, #PHP, #WebDev, #APISecurity, #LaravelSanctum, #SPAs, #MobileApps, #Authentication, #WebSecurity, #Programming, #Coding, #Developer, #Security

Frequently Asked Questions

What is the difference between Sanctum and Passport?

Sanctum is designed for simple API authentication using personal access tokens, while Passport provides a full OAuth2 server implementation for more complex scenarios.

Can I use Sanctum for traditional web applications?

While Sanctum is primarily designed for SPAs and mobile applications, it can also be used for traditional web applications with some modifications.

How do I revoke a Sanctum API token?

You can revoke a Sanctum API token by deleting the corresponding record from the personal_access_tokens table in your database.

What are some alternative authentication packages for Laravel APIs?

Besides Sanctum and Passport, other options include JWT (JSON Web Tokens) authentication and simple API key authentication. Each has different trade-offs in terms of complexity and security.

A clean, modern illustration depicting a shield protecting a digital API endpoint. The shield is emblazoned with the Laravel logo, and stylized data streams flow around it, representing secure data transfer. The background is a gradient of blue and purple, symbolizing the cloud and security. The overall style is professional and trustworthy, emphasizing API security and protection.