Laravel Passport is suitable for applications that require issuing access tokens to third-party clients and supports OAuth2 standard process; Sanctum is suitable for protecting first-party API calls, making it lighter and simpler. 1. If third-party access control is required, use Passport: install, migrate, configure the User model and AuthServiceProvider. 2. If it is an internal SPA or mobile interface, select Sanctum: install, publish configuration, and add middleware. Both can manage token scope and expiration time, but Passport has built-in scope control, while Sanctum needs to be implemented by itself. Routing is protected through auth:sanctum or auth:passport middleware, and should be combined with HTTPS, current limiting and other security measures.

API security is a must-have for any modern web application, especially when you're building APIs that will be consumed by third-party apps or frontend clients. Laravel gives you two solid options out of the box: Passport and Sanctum . Choosing between them depends on your use case, but here's how to make the right call and set things up properly.

When to Use Laravel Passport

Laravel Passport is essentially an OAuth2 server implementation. If your app needs to issue access tokens to third-party clients (like mobile apps or external services), Passport is the way to go.

• It supports standard OAuth2 flows like Authorization Code, Password Grant, and Client Credentials.
• Great for applications where third parties need controlled access to your API without sharing user credentials.
• You get features like token scopes and client management built-in.

To get started:

• Install via Composer: composer require laravel/passport
• Run migrations and install Passport: php artisan passport:install --force
• Set up your User model to use the HasApiTokens trait.
• Configure Passport in your AuthServiceProvider .

One thing to note: Passport can feel heavy if all you need is simple token-based auth. That's where Sanctum shines.

When Laravel Sanctum Is the Better Choice

If your main goal is to secure first-party API calls—like from a SPA or a mobile app tied directly to your Laravel backend— Sanctum is simpler and more lightweight.

• No full OAuth2 stack involved.
• Works great with stateful SPAs using session cookies and CSRF protection.
• Also supports simple API tokens for stateless usage (eg, mobile apps).

Setting it up is straightforward:

• Install with Composer: composer require laravel/sanctum
• Publish config and run migrations: php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
• Add middleware: \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class in your app/Http/Kernel.php under the api middleware group.

For most small-to-medium sized apps that don't need full OAuth2 support, Sanctum hits the sweet spot.

Handling Token Scopes and Expiry

Both tools allow you to manage token scopes and expiration times, but the approach differences slightly.

With Passport , you define scopes in code and assign them when issuing tokens. This lets you control fine-grained permissions per token.

 // Example of checking scope in a controller
if (! $request->user()->tokenCan('read-posts')) {
    return response()->json(['error' => 'Unauthorized'], 403);
}

With Sanctum , you don't get built-in scope handling unless you roll your own logic. So if you need scoped access, you'll have to store and check scopes manually—maybe in a database table linked to each token.

Either way, always set reasonable expiry times for tokens. Long-lived tokens are a risk. Rotate them periodically, especially if users change passwords or revoke access.

Securing Routes and Middleware Setup

No matter which tool you choose, securing your routes come down to middleware.

In both cases, you'll typically use the auth:sanctum or auth:passport guards depending on what you're using.

For example:

 Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

Make sure to:

• Only apply auth middleware where needed.
• Consider rate limiting API routes to prevent abuse.
• Use HTTPS in production—tokens should never travel over plain HTTP.

Also, for Sanctum in SPA settings, make sure to configure CORS properly and enable stateful authentication so sessions work correctly across domains.

So, Passport vs Sanctum? If you're running an API platform that issues tokens to third-party clients, go with Passport. If you're building a simpler API for internal use—especially with a SPA or mobile front end—Sanctum does the job with less overhead.

They both do their jobs well, but picking the right one keeps your auth setup clean and secure. And that's really what matters in the long run.

The above is the detailed content of Securing APIs using Laravel Passport or Sanctum.. For more information, please follow other related articles on the PHP Chinese website!