Laravel Sanctum protects API routing through a simple token mechanism, suitable for SPAs, mobile applications and other scenarios. The installation requires composer require laravel/sanctum and run the migration command after publishing the migration file; the user model adds the HasApiTokens feature to support token management. Authentication routes are protected using auth:sanctum middleware, defined by default in routes/api.php, and ensure that the request contains the Accept: application/json header. Generate tokens to verify user credentials by creating a login endpoint and calling the createToken method to return plainTextToken; the client stores the token and carries Authorization: Bearer in the request header. Calling currentAccessToken()->delete() when logging out invalidates the current token. Cross-domain requests require config/cors.php to allow sources, credentials and necessary header information; if used in SPA, you also need to enable EnsureFrontendRequestsAreStateful middleware and handle homologous or CSRF issues.

When you're building RESTful APIs with Laravel Sanctum authentication, the main idea is to secure your API routes while keeping things simple and token-based. Sanctum gives you a lightweight way to handle authentication for SPAs (Single Page Apps), mobile apps, or even third-party services without needing OAuth servers or complex setups.

Setting up Laravel Sanctum

Before diving into API routes, make sure Sanctum is installed and configured properly. Start by installing it via Composer:

 composer requires laravel/sanctum

Then publish the config and migration files:

 php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Run the migrations:

 php artisan migrate

You also need to add the HasApiTokens trait to your User model:

 use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
}

This allows users to generate and manage API tokens.

Creating authenticated API routes

In Laravel, Sanctum protects routes using middleware. You can apply the auth:sanctum middleware to any route you want to secure.

For example, in your routes/api.php file:

 Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

Make sure your routes are defined in api.php since Sanctum expects requests to come through the /api prefix by default unless you customize it.

Also, don't forget to include the Accept: application/json header in your requests — otherwise, Sanctum might not respond as expected.

Generating and managing API tokens

To let users authenticate and get an access token, create a login endpoint that issues tokens. Here's a basic flow:

1. Accept email and password from the user.
2. Authenticate the credentials.
3. Create a token and return it.

Here's a simple controller method:

 public function login(Request $request)
{
    $credentials = $request->validate([
        'email' => 'required|email',
        'password' => 'required',
    ]);

    if (Auth::attempt($credentials)) {
        $user = Auth::user();
        $token = $user->createToken('auth_token')->plainTextToken;

        return response()->json(['access_token' => $token]);
    }

    return response()->json(['error' => 'Unauthorized'], 401);
}

On the client side, store this token securely and send it in the Authorization header like so:

 Authorization: Bearer <your-token-here>

Keep in mind:

• Tokens are stored in the database under the personal_access_tokens table.
• You can scope tokens if needed, though Sanctum doesn't support scopes out of the box unless you build custom logic.
• Always invalidate tokens on logout:

 $user->currentAccessToken()->delete();

Handling CORS and SPA authentication

If you're building a Single Page Application that communicates with your Laravel backend, you'll want to set up proper CORS headers. Laravel has a built-in configuration file at config/cors.php .

Make sure you allow:

• The correct origins
• Credentials (set supports_credentials to true )
• Proper headers like Authorization , Content-Type , etc.

Sanctum supports cookie-based session authentication for SPAs too, but that requires some extra setup:

• Use the EnsureFrontendRequestsAreStateful middleware
• Make sure your frontend and backend share the same domain (or have proper CORS CSRF handling)

This part can be tricky, especially when dealing with cross-domain cookies and CSRF protection, so double-check Laravel's documentation for the latest guidance.

That's basically how you set up RESTful APIs with Laravel Sanctum authentication. It's straightforward once you understand the flow, but easy to trip over small details like headers, middleware placement, or CORS settings.

The above is the detailed content of Building RESTful APIs with Laravel Sanctum authentication. For more information, please follow other related articles on the PHP Chinese website!