Laravel Sanctum 和 Laravel Passport 是用于 API 認證的兩種工具，適用于不同場景。1. Sanctum 更簡單輕量，適合 SPAs、移動應用及基礎令牌認證；2. Passport 是完整的 OAuth2 服務器，支持第三方訪問令牌、令牌撤銷和精細的作用域控制。若需 OAuth2 功能則使用 Passport，否則 Sanctum 更合適。兩者設置流程不同：Sanctum 需安裝、發(fā)布配置、運行遷移、更新用戶模型并添加中間件，通過 createToken 方法生成令牌；Passport 則需安裝、運行遷移、執(zhí)行 passport:install 命令、更新用戶模型并注冊路由。選擇時應根據(jù)項目需求判斷是否需要 OAuth2 的高級功能。

When building APIs with Laravel, securing them properly is crucial—especially if they're consumed by mobile apps or SPAs (Single Page Applications). Two common tools for this are Laravel Sanctum and Laravel Passport. Both can handle authentication, but they serve different use cases and have distinct setups.

Understanding the Differences: Sanctum vs. Passport

Laravel Sanctum and Passport both provide API authentication, but their approach is quite different.

• Sanctum is simpler and lightweight. It’s great for SPAs, mobile apps, and simple token-based authentication.
• Passport is a full OAuth2 server, which means it supports more complex scenarios like third-party access tokens, token revocation, and granular scopes.

If you don’t need full OAuth2 features, Sanctum is usually enough—and easier to set up.

Setting Up Sanctum in Your Laravel API

To secure your Laravel API with Sanctum, follow these steps:

1. Install Sanctum: Run composer require laravel/sanctum and publish the config file using php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider".

2. Run Migrations: Sanctum needs a table to store tokens, so run php artisan migrate.

3. Update User Model: Add the HasApiTokens trait to your User model (use Laravel\Sanctum\HasApiTokens;).

4. Configure Middleware: In app/Http/Kernel.php, make sure \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class is added to the api middleware group.

5. Create Tokens: Use $user->createToken('token-name') to generate tokens. Return that token to the client after login.

6. Protect Routes: Use the auth:sanctum guard to protect your API routes.

One thing to note: Sanctum tokens don't expire by default. If you want short-lived tokens, enable that in the config and manage refresh logic on the client side.

How to Secure APIs Using Laravel Passport

If your app needs OAuth2 functionality (like allowing third-party services to authenticate), Passport is the better choice.

Here’s how to get started:

• Install Passport: Run composer require laravel/passport and then php artisan migrate.
• Install JavaScript Dependencies: Run npm install passport passport-http-bearer if you’re using Node.js for frontend.
• Run Passport Install Command: Execute php artisan passport:install. This generates encryption keys and creates OAuth clients needed for issuing tokens.
• Update User Model: Add the HasApiTokens trait from Passport and use the Laravel\Passport\HasApiTokens namespace.
• Add Passport Routes: In your AuthServiceProvider, call Passport::routes() inside the boot method.
• Set Auth Guard: In config/auth.php, set the api driver to passport.

With Passport, you can issue long-lived tokens, revoke them, and even allow users to grant access to third-party apps. However, this also adds complexity—so only go this route if you really need those features.

Choosing Between Sanctum and Passport

The decision really comes down to your project's requirements.

• Go with Sanctum if:

  • You're building a SPA or mobile app.
  • You don’t need OAuth2 features like scopes or third-party access.
  • Simplicity and speed of setup matter.

• Choose Passport if:

  • You need full OAuth2 support.
  • You're planning to offer an API for third-party developers.
  • Token management beyond basic auth is required.

Both tools work well, but mixing them isn’t recommended unless you have a very specific reason to do so.

Basically, start with Sanctum unless you know you’ll need Passport’s extra capabilities.

以上是用圣所或護照身份驗證確保Laravel API的詳細內容。更多信息請關注PHP中文網(wǎng)其他相關文章！