What is Laravel Sanctum, and How is it Used for API Authentication?


What is Laravel Sanctum, and How is it Used for API Authentication?


Laravel Sanctum is a lightweight authentication package designed for single-page applications (SPAs), mobile applications, and simple token-based APIs. It provides a simple and secure way to authenticate users using API tokens without the complexity of OAuth. This article explores the fundamentals of Laravel Sanctum and demonstrates how to implement it for API authentication, ensuring secure access to your web applications. In this comprehensive guide, we will unravel the intricacies of Laravel Sanctum, exploring its features, advantages, and how it facilitates seamless API authentication within Laravel applications. The key focus will be on understanding the nuances of API authentication using Sanctum in Laravel.

Understanding Laravel Sanctum

Introducing Laravel Sanctum

Laravel Sanctum is an official Laravel package that provides a simple and powerful way to authenticate single-page applications (SPAs) or any frontend built using JavaScript or other frontend frameworks. It primarily focuses on securing API routes and is tailored for token-based authentication. With Sanctum, Laravel applications can easily implement stateful authentication for SPAs without the need for Passport or other complex authentication solutions.

Key Features of Laravel Sanctum

Laravel Sanctum brings several key features to the table that make it an attractive choice for API authentication:

1. SPA Authentication:

Sanctum is designed to authenticate SPAs efficiently. It issues API tokens that can be used for authenticating API requests from your SPA front end.

2. Lightweight and Simple:

Sanctum is lightweight and straightforward, providing a minimalistic yet effective approach to API authentication. It doesn’t introduce unnecessary complexity, making it easier to set up and use.

3. Token Management:

Sanctum simplifies token management by handling token creation, validation, and revocation seamlessly. This ensures a secure and streamlined process for handling user authentication tokens.

4. Session Authentication:

While primarily focused on SPA authentication, Sanctum also supports traditional web application authentication using sessions. This versatility allows developers to use the same authentication system for both SPA and non-SPA components of an application.

Implementing API Authentication using Sanctum in Laravel

Setting Up Laravel Sanctum

Before diving into API authentication, it’s essential to set up Laravel Sanctum in your Laravel application. Begin by installing Sanctum using Composer:

composer require laravel/sanctum

After installation, run the migration to create the necessary tables for Sanctum:

php artisan migrate

Next, publish the Sanctum configuration file:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Configuring Sanctum for API Authentication

Sanctum configuration is typically done in the sanctum.php configuration file located in the config directory of your Laravel application. This file allows you to customize various aspects of Sanctum, including the authentication driver, the stateful domain, and more.

Configuring the Authentication Driver:

In the sanctum.php configuration file, set the stateful option to stateful for SPA authentication:

'stateful' => env('SESSION_STATEFUL_DOMAINS', ''),

For stateless API authentication, set it to stateless:

'stateful' => env('SESSION_STATEFUL_DOMAINS', null),

API Routes and Authentication

With Sanctum configured, you can start securing your API routes. Consider the following example:

// routes/api.php

use App\Http\Controllers\ApiController;

Route::middleware('auth:sanctum')->group(function () {
    // Your authenticated routes go here
    Route::get('/user', [ApiController::class, 'getUser']);
    // Additional routes...

In this example, the auth:sanctum middleware protects the specified routes, ensuring that only authenticated users can access them. Requests without valid authentication tokens will be denied access.

Generating API Tokens

To authenticate users and generate API tokens, you need to create controllers and methods for handling user authentication. Laravel Sanctum provides convenient methods for issuing tokens:

// ApiController.php

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;

class ApiController extends Controller
    public function login(Request $request)
            'email' => 'required|email',
            'password' => 'required',

        $user = User::where('email', $request->email)->first();

        if (!$user || !Hash::check($request->password, $user->password)) {
            throw ValidationException::withMessages([
                'email' => ['The provided credentials are incorrect.'],

        $token = $user->createToken('api-token')->plainTextToken;

        return response()->json(['token' => $token]);

    // Additional methods...

In this example, the login method validates the user’s credentials, checks if the user exists and the password is correct, and then generates a plain text token using Sanctum’s createToken method.

Best Practices for API Authentication using Sanctum in Laravel

Keep Tokens Secure

API tokens are sensitive information, and their security is paramount. Always transmit tokens over HTTPS to encrypt the communication between your application and the server. Additionally, avoid exposing tokens in frontend code or other insecure locations.

Token Expiration and Renewal

Implement token expiration strategies to enhance security. Laravel Sanctum allows you to set token expiration times in the configuration file. Consider periodic token renewal to refresh tokens and maintain user sessions without requiring frequent logins.

Revoking Tokens

Laravel Sanctum provides methods to revoke tokens when necessary. Implement token revocation mechanisms for scenarios like user logout or account deactivation to invalidate tokens and enhance security.

Use Stateless Authentication for APIs

For API routes that don’t require session authentication, consider using stateless authentication. This eliminates the need to maintain session state for API requests, leading to a more efficient and scalable API architecture.


In conclusion, Laravel Sanctum provides a streamlined and effective solution for API authentication in Laravel applications. Whether you are building SPAs or traditional web applications, Sanctum’s versatility and simplicity make it a valuable tool for securing your API routes. By understanding its features, configuring it appropriately, and following best practices, you can implement robust API authentication in your Laravel projects.

As you explore API authentication using Sanctum in Laravel, share your experiences, challenges, and insights in the comments below. How has Sanctum improved your API security, and do you have any tips for fellow Laravel developers? Your contributions enrich our collective knowledge and foster a collaborative community of Laravel enthusiasts.

Leave your thought here