Building Secure APIs in Laravel with Sanctum
APIs are the backbone of modern applications. Whether you’re building a web app, mobile app, or SPA (Single Page Application), APIs allow your frontend to talk with the backend in a secure way.
Laravel provides multiple ways to handle API authentication, and one of the most popular is Laravel Sanctum. It’s lightweight, simple to use, and perfect for APIs that don’t require the complexity of OAuth.
🚀 What is Laravel Sanctum?
Laravel Sanctum provides a simple way to authenticate APIs using tokens.
- It’s great for mobile apps and single-page apps (Vue, React, Angular).
- It supports personal access tokens and cookie-based authentication.
- It’s easier to use compared to Passport (OAuth).
🔧 Step 1: Install Laravel & Sanctum
composer create-project laravel/laravel laravel-sanctum-api
cd laravel-sanctum-api
composer require laravel/sanctum
php artisan install:api
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate
🔧 Step 2: Configure Middleware
Open bootstrap/app.php and add Sanctum’s middleware in the api middleware group:
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
🔧 Step 3: Setup User Model
In app/Models/User.php, include the HasApiTokens trait:
use Laravel\Sanctum\HasApiTokens;
class User extends Authenticatable
{
use HasApiTokens, HasFactory, Notifiable;
}
🔧 Step 4: Create Authentication APIs
Register API
// routes/api.php
use App\Http\Controllers\AuthController;
Route::post('/register', [AuthController::class, 'register']);
// app/Http/Controllers/AuthController.php
namespace App\Http\Controllers;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
class AuthController extends Controller
{
public function register(Request $request)
{
$request->validate([
'name' => 'required',
'email' => 'required|unique:users,email',
'password' => 'required|min:6'
]);
$user = User::create([
'name' => $request->name,
'email' => $request->email,
'password' => Hash::make($request->password)
]);
$token = $user->createToken('API Token')->plainTextToken;
return response()->json([
'user' => $user,
'token' => $token
]);
}
}
Login API
Route::post('/login', [AuthController::class, 'login']);
public function login(Request $request)
{
$user = User::where('email', $request->email)->first();
if (!$user || !Hash::check($request->password, $user->password)) {
return response()->json(['error' => 'Invalid credentials'], 401);
}
$token = $user->createToken('API Token')->plainTextToken;
return response()->json([
'user' => $user,
'token' => $token
]);
}
Logout API
Route::post('/logout', [AuthController::class, 'logout'])->middleware('auth:sanctum');
public function logout(Request $request)
{
$request->user()->tokens()->delete();
return response()->json(['message' => 'Logged out successfully']);
}
🔒 Step 5: Protect Routes with Sanctum
Route::get('/profile', function (Request $request) {
return $request->user();
})->middleware('auth:sanctum');
🛠Step 6: Test API with Postman
- Register a user → get token.
- Login → get token.
- Copy the token and set it in Authorization > Bearer Token in Postman.
- Access protected routes.
✅ Conclusion
Laravel Sanctum makes API authentication simple and secure. It’s perfect for projects that don’t need full OAuth complexity, such as SPAs, mobile apps, or small-scale APIs.
With just a few steps, you can:
- Register users
- Authenticate with tokens
- Secure your API endpoints