API authentication with Sanctum helps your app know who is using it safely. It keeps private data secure by checking user identity.
1. Install Sanctum via Composer: composer require laravel/sanctum 2. Publish Sanctum config and migration: php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider" 3. Run migrations: php artisan migrate 4. Add Sanctum middleware in api middleware group in app/Http/Kernel.php: 'api' => [ \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class, 'throttle:api', \Illuminate\Routing\Middleware\SubstituteBindings::class, ], 5. Use HasApiTokens trait in User model: use Laravel\Sanctum\HasApiTokens; 6. Issue tokens in controller: $token = $user->createToken('token-name')->plainTextToken; 7. Protect routes with 'auth:sanctum' middleware.
Sanctum uses simple API tokens or SPA authentication.
Tokens are stored securely and can be revoked anytime.
<?php
// In User.php model
use Laravel\Sanctum\HasApiTokens;
class User extends Authenticatable
{
use HasApiTokens, Notifiable;
}<?php // In controller to create token $token = $user->createToken('mobile-app')->plainTextToken; return ['token' => $token];
// Protect API route in routes/api.php Route::middleware('auth:sanctum')->get('/user', function (Request $request) { return $request->user(); });
This example shows how to register and login users to get API tokens. The /profile route is protected and returns user info only if the token is valid.
<?php // routes/api.php use Illuminate\Http\Request; use Illuminate\Support\Facades\Hash; use App\Models\User; use Illuminate\Support\Facades\Route; // Register user and return token Route::post('/register', function (Request $request) { $user = User::create([ 'name' => $request->name, 'email' => $request->email, 'password' => Hash::make($request->password), ]); $token = $user->createToken('api-token')->plainTextToken; return ['token' => $token]; }); // Login user and return token Route::post('/login', function (Request $request) { $user = User::where('email', $request->email)->first(); if (! $user || ! Hash::check($request->password, $user->password)) { return response(['message' => 'Invalid credentials'], 401); } $token = $user->createToken('api-token')->plainTextToken; return ['token' => $token]; }); // Protected route Route::middleware('auth:sanctum')->get('/profile', function (Request $request) { return $request->user(); });
Always protect sensitive routes with 'auth:sanctum' middleware.
Tokens can be revoked by deleting them from the database.
Use HTTPS to keep tokens safe during transmission.
Sanctum provides simple API token authentication for Laravel apps.
Use HasApiTokens trait and createToken() to issue tokens.
Protect routes with 'auth:sanctum' middleware to require login.