We noticed you're using an ad blocker

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Laravel Sanctum - API authentication

world cup 2023

WorldCup 2023

Get update standing, score, poll

Get Now

Laravel Sanctum is another laravel official package from Laravel Framework. Until 20 March 2020, it was Laravel Airlock. Due to trademark dispute, Taylor Otwell renames it with Laravel Sanctum and confirmed it with a blog post. It's a lightweight authentication package for working on SPA (Single Page Application) or simple API. Before discovering the package, let's have a look at what Laravel Sanctum offers us.

Laravel Sanctum features

  • Simple API auth
  • Issuing API Tokens
  • Token Abilities
  • Revoking Tokens
  • SPA auth with CSRF protection
  • Authenticating Mobile Applications


Laravel Sanctum Installation

Open the command prompt and Install the package by composer require command.

composer require laravel/sanctum

Publish the vendor for Laravel Sanctum service provider.

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Now run the migration command.

php artisan migrate


By default, Laravel offers us auth:api middleware for making simple token-based API authentication. If we use Sanctum for API authentication we have to add these on kernel file. So, we can use auth:sanctum


use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

'api' => [

Done! now you can use Sanctum in our API routes.


Laravel Sanctum Usages


Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();

We can use multiple guards for authentication. If we use the passport for our API then we have to use like as below

Route::middleware('auth:sanctum,passport')->get('/user', function (Request $request) {
    return $request->user();


SPA Authentication

To use SPA auth, first, make a GET request to /sanctum/csrf-cookie for enabling the CSRF protection. After that, we have to make a POST request to /login as well as.


API Token Issuing

To issuing API token, we have to use the HasApiTokens trait in our user model.

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
    use HasApiTokens, Notifiable;

Now we can issue tokens for a user.

$token = $user->createToken('here-token-name');
return $token->plainTextToken;


Token Abilities

We can fix the token abilities for a token so that the user can do an only specific thing with that API token.

return $user->createToken('token-name', ['post:update'])->plainTextToken;

To check the ability of a token we can use tokenCan method on a user model object.

if ($user->tokenCan('post:update')) {


Revoking Tokens



Hope this post will help you to learn about Laravel Sanctum and how to make API using Laravel Sanctum package. It this post helpful to then please share it with others.


Share on

Related Post - Latest Post

Laravel Barcode generation tutorial

Laravel Query Log

Laravel Jetstream tutorial

Laravel User Activity

Laravel Breeze - Starting with Laravel has been easy!

Laravel API mailer