LaravelHow-ToBeginner · 4 min read

How to Implement API Authentication in Laravel Easily

To implement API authentication in Laravel, use Laravel Sanctum which provides a simple token-based system. Install Sanctum, configure it, then protect your API routes with the auth:sanctum middleware to require valid tokens for access.

📐

Syntax

Laravel Sanctum uses middleware and token management to secure API routes. Key parts include:

composer require laravel/sanctum - installs Sanctum package.
auth:sanctum - middleware to protect routes.
createToken() - method to generate API tokens for users.

php

<?php
// Protect API routes in routes/api.php
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

// Generate token in User model or controller
$token = $user->createToken('token-name')->plainTextToken;

💻

Example

This example shows how to set up Laravel Sanctum for API authentication, create a token, and protect a route.

php

<?php
// 1. Install Sanctum via Composer
// composer require laravel/sanctum

// 2. Publish Sanctum config and migration
// php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

// 3. Run migrations
// php artisan migrate

// 4. Add Sanctum middleware in app/Http/Kernel.php
// 'api' => [
//     \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
//     'throttle:api',
//     \Illuminate\Routing\Middleware\SubstituteBindings::class,
// ],

// 5. Protect routes in routes/api.php
use Illuminate\Http\Request;

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

// 6. Create token in a controller or tinker
use App\Models\User;

$user = User::find(1); // example user
$token = $user->createToken('api-token')->plainTextToken;
echo $token;

Output

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9... (token string)

⚠️

Common Pitfalls

Common mistakes when implementing API authentication in Laravel include:

Not running migrations after installing Sanctum, so tables for tokens don't exist.
Forgetting to add auth:sanctum middleware to API routes, leaving them unprotected.
Using session-based authentication instead of token-based for APIs.
Not returning the token to the client after creation.

php

<?php
// Wrong: Route without middleware (unprotected)
Route::get('/user', function (Request $request) {
    return $request->user();
});

// Right: Route protected with Sanctum middleware
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

📊

Quick Reference

Summary tips for Laravel API authentication with Sanctum:

Install Sanctum with Composer and publish migrations.
Run migrations to create necessary tables.
Protect API routes with auth:sanctum middleware.
Create tokens using createToken() method on User model.
Send tokens in Authorization: Bearer <token> header for API requests.

✅

Key Takeaways

Use Laravel Sanctum for simple and secure API token authentication.

Protect API routes with the auth:sanctum middleware to require tokens.

Generate tokens with createToken() method on the User model.

Always run migrations after installing Sanctum to create token tables.

Send the token in the Authorization header as Bearer token for API calls.