Laravel Sanctum API Token Authentication Tutorial with example

Harish Kumar · 4 years ago · 14685 Views

Laravel Sanctum is a popular package for API Token Authentication. There are many other packages available to authenticate the APIs request in Laravel. For example, We are already familiar with Laravel Passport and JWT to authenticate the APIs.

I have already shared the tutorial for making RESTful APIs using Passport Authentication. The main difference between passport and Sanctum is Passport uses OAuth for authorization. On the other hand, Sanctum produces the API tokens without the complication of OAuth.

Laravel Sanctum Installation

Run the following command in your terminal to install the Laravel Sanctum package:

composer require laravel/sanctum

After successfully install package, we need to publish configuration file with following command:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Now run the migration command.

php artisan migrate

Next, if you see the kernel.php, by default, it uses auth:api middleware for making simple token-based API authentication. Because we want to use Sanctum for API authentication, so we need to replace it with auth:sanctum middleware.

//kernel.php

use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

'api' => [
    EnsureFrontendRequestsAreStateful::class,
    'throttle:60,1',
    \Illuminate\Routing\Middleware\SubstituteBindings::class,
],

`HasApiTokens` trait

To issuing API token, we have to use the HasApiTokens trait in the User model.

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;

    // ...
}

Now we can issue tokens for a user.

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

Laravel Sanctum Usages

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

API Token Issuing

To issue a token, you may use the createToken method. The createToken method returns a Laravel\Sanctum\NewAccessToken instance.

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

Token Abilities

You may pass an array of string abilities as the second argument to the createToken method:

return $user->createToken('token-name', ['post:update'])->plainTextToken;

To check the ability of a token, you can use tokenCan method on a User model object.

if ($user->tokenCan('post:update')) {
    //
}

Revoking Tokens

$user->tokens->each->delete();

Hope this post will help you to learn about Laravel Sanctum and how to make API using the Laravel Sanctum package.

Please login or create new account to add your comment.

1 comment

Mahdi Pishguy · 3 years ago

Thanks so much