Laravel Sanctum API Token Authentication Tutorial with example

Harish Kumar · · 12512 Views

Laravel Sanctum is a popular package for API Token Authentication. There are many other packages available to authenticate the APIs request in Laravel. For example, We are already familiar with Laravel Passport and JWT to authenticate the APIs. 

I have already shared the tutorial for making RESTful APIs using Passport Authentication. The main difference between passport and Sanctum is Passport uses OAuth for authorization. On the other hand, Sanctum produces the API tokens without the complication of OAuth.

Laravel Sanctum Installation

Run the following command in your terminal to install the Laravel Sanctum package:

composer require laravel/sanctum

After successfully install package, we need to publish configuration file with following command:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Now run the migration command.

php artisan migrate

Next, if you see the kernel.php, by default, it uses auth:api middleware for making simple token-based API authentication. Because we want to use Sanctum for API authentication, so we need to replace it with auth:sanctum middleware.


use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

'api' => [

`HasApiTokens` trait

To issuing API token, we have to use the HasApiTokens trait in the User model. 

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
    use HasApiTokens, Notifiable;

    // ...

Now we can issue tokens for a user.

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

Laravel Sanctum Usages

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();

API Token Issuing

To issue a token, you may use the createToken method. The createToken method returns a Laravel\Sanctum\NewAccessToken instance. 

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

Token Abilities

You may pass an array of string abilities as the second argument to the createToken method:

return $user->createToken('token-name', ['post:update'])->plainTextToken;

To check the ability of a token, you can use tokenCan  method on a User model object. 

if ($user->tokenCan('post:update')) {

Revoking Tokens


Hope this post will help you to learn about Laravel Sanctum and how to make API using the Laravel Sanctum package.


Please login or create new account to add your comment.

1 comment
Mahdi Pishguy
Mahdi Pishguy ·

Thanks so much

You may also like:

Laravel Facades: Simplifying Code and Improve Readability

As an integral part of Laravel, a renowned PHP framework, Facades provide a static interface to classes stored in the application's service container. They serve as static proxies (...)
Harish Kumar

What is Laravel’s Service Container and How to Use Dependency Injection in Laravel App

Dependency injection and inversion of control are vital in clean web development. They make writing maintainable, testable code possible. Laravel is a famous PHP framework that (...)
Harish Kumar

Secure Your SPA with Laravel Sanctum: A Step-by-Step Guide

In today's web development landscape, Single Page Applications (SPAs) are increasingly popular. But securing their interaction with backend APIs is crucial. Laravel Sanctum provides (...)
Harish Kumar

Multi-Authentication with Guards in Laravel

Laravel's robust authentication system provides a powerful mechanism for securing your application. To cater to scenarios where you need different user roles with distinct login (...)
Harish Kumar

Laravel Pint & VS Code: Automate Your Code Formatting

Laravel Pint is an opinionated PHP code style fixer built on top of PHP-CS-Fixer, designed to simplify the process of ensuring clean and consistent code style in Laravel projects. (...)
Harish Kumar

Laravel Clockwork: A Deep Dive into Debugging, Profiling Skills and Best Practices

In the world of web development, building complex applications often comes with the challenge of identifying and resolving performance bottlenecks. This is where a reliable debugging (...)
Harish Kumar