Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs.
Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.
composer.json
file does not include laravel/sanctum
, you may follow the installation instructions below. 🙏
install:api
Artisan command:php artisan install:api
API tokens / personal access tokens
that may be used to authenticate API requests to your application. When making requests using API tokens, the token should be included in the Authorization header as a Bearer token.To begin issuing tokens for users, your User
model should use the Laravel\Sanctum\HasApiTokens
trait:
use Laravel\Sanctum\HasApiTokens;
class User extends Authenticatable
{
use HasApiTokens;
}
install:api
command will add routes/api.php
file. That should be included in the bootstrap/app.php
file inside withRouting as belowreturn Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__ . '/../routes/web.php',
api: __DIR__ . '/../routes/api.php', // Add this if not added by install:api
commands: __DIR__ . '/../routes/console.php',
health: '/up',
)
php artisan migrate
We'll create simple user authentication methods via Laravel Sanctum below.
routes/api.php
that point to AuthController
:<?php
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;
// Open Routes
Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);
// Protected Routes
Route::group(['middleware' => 'auth:sanctum'], function () {
Route::get('/profile', [AuthController::class, 'profile']);
Route::get('/logout', [AuthController::class, 'logout']);
});
php artisan make:controller AuthController
<?php
namespace App\Http\Controllers;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
class AuthController extends Controller
{
// POST [name, email, password]
public function register(Request $request)
{
// Validation
$request->validate([
"name" => "required|string",
"email" => "required|string|email|unique:users",
"password" => "required|confirmed" // password_confirmation
]);
// Create User
User::create([
"name" => $request->name,
"email" => $request->email,
"password" => bcrypt($request->password)
]);
return response()->json([
"status" => true,
"message" => "User registered successfully",
"data" => []
]);
}
}
TEST register user API using postman
Accept: application/json
in postman.
AuthController.php
, create a simple login method that generates API token
via sanctum:<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
class AuthController extends Controller
{
public function login(Request $request)
{
// POST [email, password]
// Validation
$request->validate([
'email' => 'required|email|string',
'password' => 'required'
]);
// Email check
$user = User::where("email", $request->email)->first();
if (!empty($user)) {
// User exists
if (Hash::check($request->password, $user->password)) {
// Password matched
$token = $user->createToken("myAccessToken")->plainTextToken;
return response()->json([
"status" => true,
"message" => "Login successful",
"token" => $token,
"data" => []
]);
} else {
return response()->json([
"status" => false,
"message" => "Password didn't match",
"data" => []
]);
}
} else {
return response()->json([
"status" => false,
"message" => "Invalid Email value",
"data" => []
]);
}
}
}
TEST Login user API using postman
Accept: application/json
in postman.
public function profile()
{
$userData = auth()->user();
return response()->json([
"status" => true,
"message" => "Profile information",
"data" => $userData,
"id" => auth()->user()->id
]);
}
TEST get user API using postman
AuthController.php
, create a simple method to revoke
the token from the user:public function logout()
{
auth()->user()->tokens()->delete();
return response()->json([
"status" => true,
"message" => "User Logged out successfully",
"data" => []
]);
}
TEST logout user API using postman