Docs : Laravel Sanctum | Sneat - Bootstrap Dashboard PRO

Laravel API Authentication Using Sanctum

Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs.

Introduction

Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.

Installation

Info:Laravel 11 does not include Laravel Sanctum by default. However, if your application's composer.json file does not include laravel/sanctum, you may follow the installation instructions below. 🙏

You may install Laravel Sanctum via the install:api Artisan command:

php artisan install:api

Sanctum allows you to issue API tokens / personal access tokens that may be used to authenticate API requests to your application. When making requests using API tokens, the token should be included in the Authorization header as a Bearer token.

To begin issuing tokens for users, your User model should use the Laravel\Sanctum\HasApiTokens trait:

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
  use HasApiTokens;
}

install:api command will add routes/api.php file. That should be included in the bootstrap/app.php file inside withRouting as below

return Application::configure(basePath: dirname(__DIR__))
  ->withRouting(
    web: __DIR__ . '/../routes/web.php',
    api: __DIR__ . '/../routes/api.php', // Add this if not added by install:api
    commands: __DIR__ . '/../routes/console.php',
    health: '/up',
  )

Finally, you should run your database migrations. Sanctum will create one database table in which to store API tokens:

php artisan migrate

Next, if you plan to utilize Sanctum to authenticate an SPA, please refer to the SPA Authentication section of this documentation.

Sanctum Authentication

We'll create simple user authentication methods via Laravel Sanctum below.

Create Route: Create routes into routes/api.php that point to AuthController:

<?php

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;

// Open Routes
Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);

// Protected Routes
Route::group(['middleware' => 'auth:sanctum'], function () {
  Route::get('/profile', [AuthController::class, 'profile']);
  Route::get('/logout', [AuthController::class, 'logout']);
});

Create Controller: Now, we have to create a controller that handles all API requests. Follow below artisan command to create a new controller:

php artisan make:controller AuthController

Register User: We'll implement a simple method to register a user:

<?php

namespace App\Http\Controllers;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;

class AuthController extends Controller
{
  // POST [name, email, password]
  public function register(Request $request)
  {
    // Validation
    $request->validate([
      "name" => "required|string",
      "email" => "required|string|email|unique:users",
      "password" => "required|confirmed" // password_confirmation
    ]);

    // Create User
    User::create([
      "name" => $request->name,
      "email" => $request->email,
      "password" => bcrypt($request->password)
    ]);

    return response()->json([
      "status" => true,
      "message" => "User registered successfully",
      "data" => []
    ]);

  }
}

TEST register user API using postman

Info: Make sure you update Headers with Accept: application/json in postman.

Login User: In the same file AuthController.php, create a simple login method that generates API token via sanctum:

<?php

namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;

class AuthController extends Controller
{
  public function login(Request $request)
  {
    // POST [email, password]
    // Validation
    $request->validate([
      'email' => 'required|email|string',
      'password' => 'required'
    ]);

    // Email check
    $user = User::where("email", $request->email)->first();

    if (!empty($user)) {
      // User exists
      if (Hash::check($request->password, $user->password)) {
        // Password matched
        $token = $user->createToken("myAccessToken")->plainTextToken;

        return response()->json([
          "status" => true,
          "message" => "Login successful",
          "token" => $token,
          "data" => []
        ]);
      } else {
        return response()->json([
          "status" => false,
          "message" => "Password didn't match",
          "data" => []
        ]);
      }
    } else {
      return response()->json([
        "status" => false,
        "message" => "Invalid Email value",
        "data" => []
      ]);
    }
  }
}

TEST Login user API using postman

Info: Make sure you update Headers with Accept: application/json in postman.

Get User Profile: In the same file AuthController.php, create a simple method to get the user's profile details:

public function profile()
{
  $userData = auth()->user();

  return response()->json([
    "status" => true,
    "message" => "Profile information",
    "data" => $userData,
    "id" => auth()->user()->id
  ]);
}

TEST get user API using postman

Logout User: In the same file AuthController.php, create a simple method to revoke the token from the user:

public function logout()
{
  auth()->user()->tokens()->delete();

  return response()->json([
    "status" => true,
    "message" => "User Logged out successfully",
    "data" => []
  ]);
}

TEST logout user API using postman