Laravel Sanctum

Last Updated: February 4, 2022

Laravel Sanctum provides a lightweight authentication system for SPAs (single page applications), mobile applications, and simple, token-based APIs

If you build single page application with Vue, React, or Angular then you can use the Sanctum for REST API validation.

You can do the API authentication with a few lines of code.

You can use Sanctum to authenticate SaaS applications ( Multi-tenant applications) by adding some additional code.

Each user of the application can generate multiple tokens

Tokes can consist of abilities that can perform so you can use this for access control management

You can generate API tokens without using complicated OAuth. This API token is stored in the database table and incoming HTTP requests against this API token.


(1) First install the sanctum using composer

composer require laravel/sanctum

(2) Publish configuration and migration files

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

(3) Run the database migration

php artisan migrate

(4)  if you plan to utilize Sanctum to authenticate a SPA, you should add Sanctum’s middleware to your API middleware group within your application’s app/Http/Kernel.php file:

'api' => [

How to register a new user


 public function register(Request $request)

        $fields = $request->validate([
            'name' => 'required|string',
            'email' => 'required|string|unique:users,email',
            'password' => 'required|string|confirmed',
        $user = User::create([
                'name' => $fields['name'],
                'email' => $fields['email'],
                'password' => bcrypt($fields['password']),

        return response()->json(['token' => $user->createToken('tokens')->plainTextToken], 200);


Route::post('/user/register', 'App\Http\Controllers\UserController@register');

Testing the code with Postman

How to login


 public function login(Request $request)

        $fields = $request->validate([
            'email' => 'required|string|email',
            'password' => 'required|string',

        $user = User::where('email',$request->email)->first();

        if(!$user || !Hash::check($request->password,$user->password) ){
            return response()->json(['type'=>'login_failed','message' => 'invalid_credentials'], 200);

        return response()->json(['token' => $user->createToken('tokens')->plainTextToken], 200);


Route::post('/user/login', 'App\Http\Controllers\UserController@login');

How to logout


public function logout(Request $request)
       if (Auth::check()) {
            Auth::user()->tokens->each(function ($token, $key) {
            return response()->json("Token Deleted");
        } else {
            return response()->json("No Authenticated User ");


To protect the route, middleware named auth:sanctum is added

Route::group(['middleware' => ['auth:sanctum']], function () {
    Route::post('/user/logout', 'App\Http\Controllers\UserController@logout');