Sneat Bootstrap Dashboard by ThemeSelection

Laravel API Authentication Using Sanctum

Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token-based APIs.

Introduction#

Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token-based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities/scopes which specify which actions the tokens are allowed to perform.

Installation#

Info: Laravel 12 does not include Laravel Sanctum by default. However, if your application's composer.json file does not include laravel/sanctum, you may follow the installation instructions below. 🙏

You may install Laravel Sanctum via the install:api Artisan command:

php artisan install:api

Sanctum allows you to issue API tokens / personal access tokens that may be used to authenticate API requests to your application. When making requests using API tokens, the token should be included in the Authorization header as a Bearer token.

To begin issuing tokens for users, your User model should use the Laravel\Sanctum\HasApiTokens trait:

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
  use HasApiTokens;
}

install:api command will add routes/api.php file. That should be included in the bootstrap/app.php file inside withRouting as below:

return Application::configure(basePath: dirname(__DIR__))
  ->withRouting(
    web: __DIR__ . '/../routes/web.php',
    api: __DIR__ . '/../routes/api.php', // Add this if not added by install:api
    commands: __DIR__ . '/../routes/console.php',
    health: '/up',
  );

Finally, you should run your database migrations. Sanctum will create one database table in which to store API tokens:

php artisan migrate

Next, if you plan to utilize Sanctum to authenticate an SPA, please refer to the SPA Authentication section of this documentation.

Sanctum Authentication#

We'll create simple user authentication methods via Laravel Sanctum below.

Create Route: Create routes into routes/api.php that point to AuthController:

<?php

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;

// Open Routes
Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);

// Protected Routes
Route::group(['middleware' => 'auth:sanctum'], function () {
  Route::get('/profile', [AuthController::class, 'profile']);
  Route::get('/logout', [AuthController::class, 'logout']);
});

Create Controller: Now, we have to create a controller that handles all API requests. Follow below artisan command to create a new controller:

php artisan make:controller AuthController

Register User: We'll implement a simple method to register a user:

<?php

namespace App\Http\Controllers;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;

class AuthController extends Controller
{
  // POST [name, email, password]
  public function register(Request $request)
  {
    // Validation
    $request->validate([
      "name" => "required|string",
      "email" => "required|string|email|unique:users",
      "password" => "required|confirmed" // password_confirmation
    ]);

    // Create User
    User::create([
      "name" => $request->name,
      "email" => $request->email,
      "password" => bcrypt($request->password)
    ]);

    return response()->json([
      "status" => true,
      "message" => "User registered successfully",
      "data" => []
    ]);

  }
}

TEST register user API using postman

Info: Make sure you update Headers with Accept: application/json in postman.

Login User: In the same file AuthController.php, create a simple login method that generates API token via sanctum:

<?php

namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;

class AuthController extends Controller
{
  public function login(Request $request)
  {
    // POST [email, password]
    // Validation
    $request->validate([
      'email' => 'required|email|string',
      'password' => 'required'
    ]);

    // Email check
    $user = User::where("email", $request->email)->first();

    if (!empty($user)) {
      // User exists
      if (Hash::check($request->password, $user->password)) {
        // Password matched
        $token = $user->createToken("myAccessToken")->plainTextToken;

        return response()->json([
          "status" => true,
          "message" => "Login successful",
          "token" => $token,
          "data" => []
        ]);
      } else {
        return response()->json([
          "status" => false,
          "message" => "Password didn't match",
          "data" => []
        ]);
      }
    } else {
      return response()->json([
        "status" => false,
        "message" => "Invalid Email value",
        "data" => []
      ]);
    }
  }
}

TEST Login user API using postman

Info: Make sure you update Headers with Accept: application/json in postman.

Get User Profile: In the same file AuthController.php, create a simple method to get the user's profile details:

public function profile()
{
  $userData = auth()->user();

  return response()->json([
    "status" => true,
    "message" => "Profile information",
    "data" => $userData,
    "id" => auth()->user()->id
  ]);
}

TEST get user API using postman

Logout User: In the same file AuthController.php, create a simple method to revoke the token from the user:

public function logout()
{
  auth()->user()->tokens()->delete();

  return response()->json([
    "status" => true,
    "message" => "User Logged out successfully",
    "data" => []
  ]);
}

TEST logout user API using postman