intermediate 14 min read

Sanctum Authentication

API token authentication with Sanctum, token abilities, SPA authentication, and mobile app auth.

Laravel Sanctum

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;

// Issue token
public function login(Request $request): JsonResponse
{
    $request->validate(["email" => "required|email", "password" => "required"]);

    if (! auth()->attempt($request->only("email", "password"))) {
        return response()->json(["message" => "Invalid credentials."], 401);
    }

    $user = auth()->user();
    $token = $user->createToken("api-token", ["posts:read"])->plainTextToken;

    return response()->json(["token" => $token, "user" => $user]);
}

// Revoke token
public function logout(Request $request): JsonResponse
{
    $request->user()->currentAccessToken()->delete();
    return response()->json(["message" => "Logged out."]);
}

Token Abilities

// Create token with specific abilities
$user->createToken("mobile-token", ["posts:create", "posts:read"]);

// Check abilities
if ($request->user()->tokenCan("posts:create")) { ... }

// Middleware
Route::middleware(["auth:sanctum", "abilities:posts:read"])->group(...);

SPA Authentication

// config/sanctum.php
"stateful" => explode(",", env("SANCTUM_STATEFUL_DOMAINS", "localhost,localhost:3000"));

// In bootstrap/app.php
->withMiddleware(function (Middleware $middleware) {
    $middleware->statefulApi();
});

Examples

<?php
// routes/api.php
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::post('/tokens/create', function (Request \$request) {
    \$token = \$request->user()->createToken(\$request->token_name);
    return ['token' => \$token->plainTextToken];
})->middleware('auth:sanctum');

Table of Contents

Related Lessons

Sanctum Authentication

Laravel Sanctum

Token Abilities

SPA Authentication

Examples

Your Notes

Discussion

Flashcards