Laravel Sanctum for API authentication
Carlos Mendez
Jan 2026
3 tabs
<?php
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;
class LoginController extends Controller
{
public function login(Request $request)
{
$request->validate([
'email' => ['required', 'email'],
'password' => ['required'],
'device_name' => ['required'],
]);
$user = User::where('email', $request->email)->first();
if (!$user || !Hash::check($request->password, $user->password)) {
throw ValidationException::withMessages([
'email' => ['The provided credentials are incorrect.'],
]);
}
// Create token with abilities
$token = $user->createToken(
$request->device_name,
['posts:read', 'posts:write']
)->plainTextToken;
return response()->json([
'token' => $token,
'user' => $user,
]);
}
public function logout(Request $request)
{
// Revoke current token
$request->user()->currentAccessToken()->delete();
return response()->json(['message' => 'Logged out successfully']);
}
public function logoutAll(Request $request)
{
// Revoke all user's tokens
$request->user()->tokens()->delete();
return response()->json(['message' => 'Logged out from all devices']);
}
}
<?php
use Illuminate\Support\Facades\Route;
Route::post('/login', [LoginController::class, 'login']);
Route::middleware('auth:sanctum')->group(function () {
Route::get('/user', fn (Request $request) => $request->user());
Route::post('/logout', [LoginController::class, 'logout']);
Route::get('/posts', [PostController::class, 'index']);
Route::middleware('ability:posts:write')->group(function () {
Route::post('/posts', [PostController::class, 'store']);
Route::put('/posts/{post}', [PostController::class, 'update']);
});
});
<?php
// In controller
public function store(Request $request)
{
if ($request->user()->tokenCan('posts:write')) {
// User has permission
}
// Or use middleware
}
3 files · php
Explain with highlit
Laravel Sanctum provides lightweight API authentication for SPAs and mobile apps. For SPAs on the same domain, Sanctum uses Laravel's session cookies with CSRF protection. For mobile apps or third-party clients, it issues API tokens stored in a personal_access_tokens table. I protect API routes with the auth:sanctum middleware. Users authenticate via login endpoints that set cookies or return tokens. Token abilities scope permissions—read-only vs full access. The currentAccessToken() method retrieves the token for ability checks. Sanctum is simpler than OAuth for first-party applications while still secure. It handles token expiration, revocation, and multiple tokens per user for different devices.