Laravel Sanctum API Token Authentication Tutorial with example

Harish Kumar · · 5335 Views

Laravel Sanctum is a popular package for API Token Authentication. There are many other packages available to authenticate the APIs request in Laravel. For example, We are already familiar with Laravel Passport and JWT to authenticate the APIs. 

I have already shared the tutorial for making RESTful APIs using Passport Authentication. The main difference between passport and Sanctum is Passport uses OAuth for authorization. On the other hand, Sanctum produces the API tokens without the complication of OAuth.

Laravel Sanctum Installation

Run the following command in your terminal to install the Laravel Sanctum package:

composer require laravel/sanctum

After successfully install package, we need to publish configuration file with following command:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Now run the migration command.

php artisan migrate

Next, if you see the kernel.php, by default, it uses auth:api middleware for making simple token-based API authentication. Because we want to use Sanctum for API authentication, so we need to replace it with auth:sanctum middleware.


use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

'api' => [

`HasApiTokens` trait

To issuing API token, we have to use the HasApiTokens trait in the User model. 

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
    use HasApiTokens, Notifiable;

    // ...

Now we can issue tokens for a user.

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

Laravel Sanctum Usages

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();

API Token Issuing

To issue a token, you may use the createToken method. The createToken method returns a Laravel\Sanctum\NewAccessToken instance. 

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

Token Abilities

You may pass an array of string abilities as the second argument to the createToken method:

return $user->createToken('token-name', ['post:update'])->plainTextToken;

To check the ability of a token, you can use tokenCan  method on a User model object. 

if ($user->tokenCan('post:update')) {

Revoking Tokens


Hope this post will help you to learn about Laravel Sanctum and how to make API using the Laravel Sanctum package.


Please login or create new account to add your comment.

1 comment
Mahdi Pishguy
Mahdi Pishguy ·

Thanks so much

You may also like:

What are Laravel Macros and How to Extending Laravel’s Core Classes using Macros with example?

Laravel Macros are a great way of expanding Laravel's core macroable classes and add additional functionality needed for your application. In simple word, Laravel Macro is an (...)
Harish Kumar

Install Laravel Valet Linux+ development environment on Ubuntu System

The official Laravel Valet development environment is great if you are an Apple user. But there is no official Valet for Linux or Window system.
Harish Kumar

Create SPA authentication Using Laravel Sanctum and Vue.js

In this guide, we will focus on SPA authentication in a simple Vue.js app using Laravel Sanctum. Laravel Sanctum provides a featherweight authentication system for SPAs (single (...)
Harish Kumar

Create API Authentication with Laravel Passport

In this article, we'll see how to implement restful API authentication using Laravel Passport. You should have experience working with Laravel as this is not an introductory tutorial. (...)
Sumit Talwar

Laravel Themer: multi-theme support for Laravel application

This Laravel Themer package adds multi-theme support to your application. This theme package improves any application while allowing the freedom to organize and maintain your app's (...)
Harish Kumar

Difference between Laravel $request->input(), $request->get(), and $request->name direct property

If you’ve been around Laravel for a while, you might have seen there are three ways in controllers to retrieve inputs from the submitted form. For example, if you are trying (...)