Laravel Sanctum - API authentication


Laravel Sanctum is another laravel official package from Laravel Framework. Until 20 March 2020, it was Laravel Airlock. Due to trademark dispute, Taylor Otwell renames it with Laravel Sanctum and confirmed it with a blog post. It's a lightweight authentication package for working on SPA (Single Page Application) or simple API. Before discovering the package, let's have a look at what Laravel Sanctum offers us.

Laravel Sanctum features

  • Simple API auth
  • Issuing API Tokens
  • Token Abilities
  • Revoking Tokens
  • SPA auth with CSRF protection
  • Authenticating Mobile Applications

 

Laravel Sanctum Installation

Open the command prompt and Install the package by composer require command.

composer require laravel/sanctum

Publish the vendor for Laravel Sanctum service provider.

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Now run the migration command.

php artisan migrate

 

By default, Laravel offers us auth:api middleware for making simple token-based API authentication. If we use Sanctum for API authentication we have to add these on kernel file. So, we can use auth:sanctum

//kernel.php

use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

'api' => [
    EnsureFrontendRequestsAreStateful::class,
    'throttle:60,1',
    \Illuminate\Routing\Middleware\SubstituteBindings::class,
],

Done! now you can use Sanctum in our API routes.

 

Laravel Sanctum Usages

 

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

We can use multiple guards for authentication. If we use the passport for our API then we have to use like as below

Route::middleware('auth:sanctum,passport')->get('/user', function (Request $request) {
    return $request->user();
});

 

SPA Authentication

To use SPA auth, first, make a GET request to /sanctum/csrf-cookie for enabling the CSRF protection. After that, we have to make a POST request to /login as well as.

 

API Token Issuing

To issuing API token, we have to use the HasApiTokens trait in our user model.

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
}

Now we can issue tokens for a user.

$token = $user->createToken('here-token-name');
return $token->plainTextToken;

 

Token Abilities

We can fix the token abilities for a token so that the user can do an only specific thing with that API token.

return $user->createToken('token-name', ['post:update'])->plainTextToken;

To check the ability of a token we can use tokenCan method on a user model object.

if ($user->tokenCan('post:update')) {
    //
}

 

Revoking Tokens

$user->tokens->each->delete();

 

Hope this post will help you to learn about Laravel Sanctum and how to make API using Laravel Sanctum package. It this post helpful to then please share it with others.

 

Share on



Related Post - Latest Post


Laravel Barcode generation tutorial

Laravel API mailer

Laravel H package

Laravel Simple Filemanager

Laravel Option Framework

Laravel Simple Captcha