Authentication is one of the most important aspects of any modern application. Whether you’re building a web app, mobile app, or single-page application (SPA), you need a secure way to verify users and protect sensitive data. In the Laravel ecosystem, the go-to solution for lightweight and flexible authentication is Laravel Sanctum.
Unlike heavy OAuth2 implementations, Sanctum provides a simple yet powerful way to handle API authentication and session-based authentication for SPAs. Let’s dive deep into how it works, why it’s useful, and how to set it up in your Laravel project.
What is Laravel Sanctum?
Laravel Sanctum is an official Laravel package designed to provide a minimalistic approach to API authentication. It allows developers to issue API tokens for users and also supports cookie-based authentication for SPAs.
With Sanctum, you can:
- Generate personal access tokens for mobile or third-party clients.
- Authenticate single-page applications using secure cookies.
- Define token abilities (scopes) to control what each token can do.
This makes Laravel Sanctum authentication versatile enough to cover most use cases without the complexity of OAuth2.
Why Use Laravel Sanctum Instead of Other Solutions?
Laravel already offers Passport, which implements the full OAuth2 protocol. While Passport is powerful, it is often overkill for many projects. Sanctum was created to solve the problem of “too much complexity for simple use cases.”
Use Sanctum if:
- You’re building a SPA (Vue, React, Angular) that consumes your Laravel API.
- You need personal access tokens for mobile apps.
- You want an easy, secure solution without learning OAuth2.
Use Passport if:
- You’re building an app that requires third-party access (like Google OAuth).
- You need advanced OAuth2 features such as refresh tokens or authorization codes.
When comparing Laravel Sanctum vs Passport, the choice is clear: Sanctum is simpler, faster to set up, and works perfectly for most applications.
How Laravel Sanctum Works
Sanctum provides two authentication methods depending on the type of client you’re building.
1. API Token Authentication
- Users can create tokens from your application.
- These tokens are stored in your database (hashed for security).
- Tokens can have scopes/abilities that define permissions.
- Requests authenticate via:
Authorization: Bearer <token>
Example:
$token = $user->createToken('authToken', ['create', 'update']);
return $token->plainTextToken;
These Laravel Sanctum API tokens make it easy to integrate secure access for mobile apps or server-to-server communication.
2. SPA Authentication with Cookies
When working with a first-party SPA, Sanctum uses Laravel’s session-based authentication with cookies.
- The SPA makes a request to
/sanctum/csrf-cookieto initialize CSRF protection. - The user logs in using standard Laravel authentication.
- Sanctum then issues cookies that persist across requests.
This provides a seamless experience for SPAs, with the added benefit of CSRF protection and secure cookie handling.
Installing and Configuring Laravel Sanctum
Getting started with Sanctum is straightforward:
- Install Sanctum
php artisan install:api
- Add the HasApiTokens trait to your
Usermodel:
use Laravel\Sanctum\HasApiTokens;
class User extends Authenticatable
{
use HasApiTokens, Notifiable;
}
- Run Migrations
php artisan migrate
- Configure Middleware
Ensure that Sanctum’s middleware (EnsureFrontendRequestsAreStateful) is added in yourapimiddleware group for SPA support.
Managing API Tokens in Laravel Sanctum
One of Sanctum’s strongest features is its ability to manage tokens effectively.
- Creating tokens:
$token = $user->createToken('myToken', ['view', 'update']);
- Checking abilities (scopes):
if ($request->user()->tokenCan('update')) {
// perform update
}
- Revoking tokens:
$user->tokens()->delete();
By using Laravel Sanctum API tokens, you can create fine-grained access control for different applications and clients.
Using Sanctum with Single Page Applications (SPAs)
If you’re building a SPA (with React, Vue, or Angular), Sanctum is an ideal solution.
- Call
/sanctum/csrf-cookiebefore login to set up CSRF protection. - Authenticate using Laravel’s built-in login route.
- Sanctum issues cookies for session-based requests.
This method makes the SPA act like a first-party client while still being protected by Laravel’s session authentication system.
Best Practices for Laravel Sanctum Authentication
To maximize security and efficiency:
- Always use HTTPS in production.
- Revoke unused or compromised tokens immediately.
- Assign specific abilities to tokens instead of giving full access.
- For SPAs, ensure CSRF protection is correctly set up.
- Keep both Laravel and Sanctum updated to the latest versions.
Common Mistakes and Troubleshooting
- Invalid CSRF Token: Make sure your SPA requests
/sanctum/csrf-cookiebefore login. - Token Not Recognized: Ensure your request headers include
Authorization: Bearer <token>. - Session Issues in SPAs: Double-check middleware and domain configuration in
config/sanctum.php.
Laravel Sanctum vs Passport: Which One Should You Choose?
When it comes to authentication in Laravel, two official packages often come up: Laravel Sanctum and Laravel Passport. While both provide secure authentication, they are designed for different use cases. Choosing the right one depends on your application’s requirements.
What is Laravel Sanctum?
- Lightweight authentication system.
- Provides two features:
- API tokens for mobile apps or third-party clients.
- SPA authentication using Laravel’s session cookies.
- Easy to install and configure (
php artisan install:api). - Supports token abilities (scopes) for fine-grained access control.
Best for:
- SPAs (React, Vue, Angular)
- Mobile apps needing simple token authentication
- Applications where OAuth2 is not required
What is Laravel Passport?
- A full OAuth2 implementation for Laravel.
- Built on top of the League OAuth2 server.
- Provides advanced features like:
- Authorization codes
- Refresh tokens
- Client credentials grant
- Heavier setup and more complex compared to Sanctum.
Best for:
- Third-party apps where users need to authorize access (e.g., “Login with Google”-style systems).
- Applications requiring strict OAuth2 compliance.
- Large-scale systems with multiple clients.
Key Differences Between Sanctum and Passport
| Feature | Sanctum | Passport |
|---|---|---|
| Complexity | Simple & lightweight | Complex (full OAuth2 implementation) |
| Setup | Easy (php artisan install:api) | Moderate to complex |
| Use Case | SPAs, mobile apps, APIs | Third-party apps, enterprise systems |
| Authentication | API tokens, cookie-based for SPAs | OAuth2 grants (Auth codes, Refresh tokens, etc.) |
| Token Abilities | Yes (abilities/scopes) | Yes (scopes) |
| When to Use | First-party apps, internal APIs | External/third-party integrations |
When to Choose Sanctum vs Passport
- Choose Sanctum if:
- You’re building your own SPA or mobile app.
- You don’t need OAuth2 features.
- You want quick setup with minimal complexity.
- Choose Passport if:
- You’re building a system where third-party clients need access.
- You require OAuth2 authorization flows.
- You need refresh tokens or advanced grant types.
Both packages are excellent, but they serve different purposes:
- Laravel Sanctum is ideal for most Laravel apps — it’s simple, lightweight, and secure.
- Laravel Passport should only be used if you specifically need OAuth2 for third-party integrations.
For 90% of projects, developers prefer Sanctum because of its simplicity and developer-friendly setup. Use Passport only when OAuth2 is truly necessary.
Conclusion
Laravel Sanctum is a game-changing authentication package for Laravel developers. It strikes the perfect balance between simplicity and security, making it the best choice for most projects.
Whether you need Laravel Sanctum authentication for your SPA, want to manage Laravel Sanctum API tokens, or are deciding between Laravel Sanctum vs Passport, this package provides the flexibility and power you need without unnecessary complexity.
If you’re building modern web or mobile applications with Laravel, Sanctum should be your go-to authentication solution.
Want to dive deeper? Explore the Laravel Sanctum docs for full technical details.
Comments