Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token-based APIs.
Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token-based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities/scopes which specify which actions the tokens are allowed to perform.
composer.json
file does not include laravel/sanctum
, you may follow the installation instructions below. 🙏install:api
Artisan command:php artisan install:api
API tokens / personal access tokens
that may be used to authenticate API requests to your application. When making requests using API tokens, the token should be included in the Authorization header as a Bearer token.
To begin issuing tokens for users, your User
model should use the Laravel\Sanctum\HasApiTokens
trait:
use Laravel\Sanctum\HasApiTokens;
class User extends Authenticatable
{
use HasApiTokens;
}
install:api
command will add routes/api.php
file. That should be included in the bootstrap/app.php
file inside withRouting as below:return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__ . '/../routes/web.php',
api: __DIR__ . '/../routes/api.php', // Add this if not added by install:api
commands: __DIR__ . '/../routes/console.php',
health: '/up',
);
php artisan migrate
We'll create simple user authentication methods via Laravel Sanctum below.
routes/api.php
that point to AuthController
:<?php
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;
// Open Routes
Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);
// Protected Routes
Route::group(['middleware' => 'auth:sanctum'], function () {
Route::get('/profile', [AuthController::class, 'profile']);
Route::get('/logout', [AuthController::class, 'logout']);
});
php artisan make:controller AuthController
<?php
namespace App\Http\Controllers;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
class AuthController extends Controller
{
// POST [name, email, password]
public function register(Request $request)
{
// Validation
$request->validate([
"name" => "required|string",
"email" => "required|string|email|unique:users",
"password" => "required|confirmed" // password_confirmation
]);
// Create User
User::create([
"name" => $request->name,
"email" => $request->email,
"password" => bcrypt($request->password)
]);
return response()->json([
"status" => true,
"message" => "User registered successfully",
"data" => []
]);
}
}
TEST register user API using postman
Accept: application/json
in postman.AuthController.php
, create a simple login method that generates API token
via sanctum:<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
class AuthController extends Controller
{
public function login(Request $request)
{
// POST [email, password]
// Validation
$request->validate([
'email' => 'required|email|string',
'password' => 'required'
]);
// Email check
$user = User::where("email", $request->email)->first();
if (!empty($user)) {
// User exists
if (Hash::check($request->password, $user->password)) {
// Password matched
$token = $user->createToken("myAccessToken")->plainTextToken;
return response()->json([
"status" => true,
"message" => "Login successful",
"token" => $token,
"data" => []
]);
} else {
return response()->json([
"status" => false,
"message" => "Password didn't match",
"data" => []
]);
}
} else {
return response()->json([
"status" => false,
"message" => "Invalid Email value",
"data" => []
]);
}
}
}
TEST Login user API using postman
Accept: application/json
in postman.public function profile()
{
$userData = auth()->user();
return response()->json([
"status" => true,
"message" => "Profile information",
"data" => $userData,
"id" => auth()->user()->id
]);
}
TEST get user API using postman
AuthController.php
, create a simple method to revoke
the token from the user:public function logout()
{
auth()->user()->tokens()->delete();
return response()->json([
"status" => true,
"message" => "User Logged out successfully",
"data" => []
]);
}
TEST logout user API using postman