Securing Laravel APIs with Sanctum or Passport Authentication
Jul 11, 2025 am 03:21 AM
Laravel Sanctum and Laravel Passport are two tools for API authentication, suitable for different scenarios. 1. Sanctum is simpler and lighter, suitable for SPAs, mobile applications and basic token authentication; 2. Passport is a complete OAuth2 server that supports third-party access tokens, token revocation and fine-grained scope control. If you need the OAuth2 function, use Passport, otherwise Sanctum is more suitable. The settings process of the two are different: Sanctum needs to install, publish configuration, run migration, update user model and add middleware, and generate tokens through the createToken method; Passport needs to install, run migration, execute the passport:install command, update user model and register routes. When selecting, you should determine whether the advanced features of OAuth2 should be required based on the project requirements.
When building APIs with Laravel, securing them properly is cruel—especially if they're consumed by mobile apps or SPAs (Single Page Applications). Two common tools for this are Laravel Sanctum and Laravel Passport. Both can handle authentication, but they serve different use cases and have distinct setups.
Understanding the Differences: Sanctum vs. Passport
Laravel Sanctum and Passport both provide API authentication, but their approach is quite different.
- Sanctum is simpler and lightweight. It's great for SPAs, mobile apps, and simple token-based authentication.
- Passport is a full OAuth2 server, which means it supports more complex scenarios like third-party access tokens, token revocation, and granular scopes.
If you don't need full OAuth2 features, Sanctum is usually enough—and easier to set up.
Setting Up Sanctum in Your Laravel API
To secure your Laravel API with Sanctum, follow these steps:
Install Sanctum : Run
composer require laravel/sanctumand publish the config file usingphp artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider".Run Migrations : Sanctum needs a table to store tokens, so run
php artisan migrate.Update User Model : Add the
HasApiTokenstrait to your User model (use Laravel\Sanctum\HasApiTokens;).Configure Middleware : In
app/Http/Kernel.php, make sure\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::classis added to theapimiddleware group.Create Tokens : Use
$user->createToken('token-name')to generate tokens. Return that token to the client after login.Protect Routes : Use the
auth:sanctumguard to protect your API routes.
One thing to note: Sanctum tokens don't expire by default. If you want short-lived tokens, enable that in the config and manage refresh logic on the client side.
How to Secure APIs Using Laravel Passport
If your app needs OAuth2 functionality (like allowing third-party services to authenticate), Passport is the better choice.
Here's how to get started:
- Install Passport : Run
composer require laravel/passportand thenphp artisan migrate. - Install JavaScript Dependencies : Run
npm install passport passport-http-bearerif you're using Node.js for frontend. - Run Passport Install Command : Execute
php artisan passport:install. This generates encryption keys and creates OAuth clients needed for issuing tokens. - Update User Model : Add the
HasApiTokenstrait from Passport and use theLaravel\Passport\HasApiTokensnamespace. - Add Passport Routes : In your
AuthServiceProvider, callPassport::routes()inside thebootmethod. - Set Auth Guard : In
config/auth.php, set theapidriver topassport.
With Passport, you can issue long-lived tokens, revoke them, and even allow users to grant access to third-party apps. However, this also adds complexity—so only go this route if you really need those features.
Choosing Between Sanctum and Passport
The decision really comes down to your project's requirements.
-
Go with Sanctum if:
- You're building a SPA or mobile app.
- You don't need OAuth2 features like scopes or third-party access.
- Simplicity and speed of setup matter.
-
Choose Passport if:
- You need full OAuth2 support.
- You're planning to offer an API for third-party developers.
- Token management beyond basic auth is required.
Both tools work well, but mixing them isn't recommended unless you have a very specific reason to do so.
Basically, start with Sanctum unless you know you'll need Passport's extra capabilities.
The above is the detailed content of Securing Laravel APIs with Sanctum or Passport Authentication. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What are policies in Laravel, and how are they used?
Jun 21, 2025 am 12:21 AM
InLaravel,policiesorganizeauthorizationlogicformodelactions.1.Policiesareclasseswithmethodslikeview,create,update,anddeletethatreturntrueorfalsebasedonuserpermissions.2.Toregisterapolicy,mapthemodeltoitspolicyinthe$policiesarrayofAuthServiceProvider.
How do I create new records in the database using Eloquent?
Jun 14, 2025 am 12:34 AM
To create new records in the database using Eloquent, there are four main methods: 1. Use the create method to quickly create records by passing in the attribute array, such as User::create(['name'=>'JohnDoe','email'=>'john@example.com']); 2. Use the save method to manually instantiate the model and assign values ??to save one by one, which is suitable for scenarios where conditional assignment or extra logic is required; 3. Use firstOrCreate to find or create records based on search conditions to avoid duplicate data; 4. Use updateOrCreate to find records and update, if not, create them, which is suitable for processing imported data, etc., which may be repetitive.
What is the purpose of the artisan command-line tool in Laravel?
Jun 13, 2025 am 11:17 AM
Artisan is a command line tool of Laravel to improve development efficiency. Its core functions include: 1. Generate code structures, such as controllers, models, etc., and automatically create files through make: controller and other commands; 2. Manage database migration and fill, use migrate to run migration, and db:seed to fill data; 3. Support custom commands, such as make:command creation command class to implement business logic encapsulation; 4. Provide debugging and environment management functions, such as key:generate to generate keys, and serve to start the development server. Proficiency in using Artisan can significantly improve Laravel development efficiency.
How do I install Laravel on my operating system (Windows, macOS, Linux)?
Jun 19, 2025 am 12:31 AM
Yes,youcaninstallLaravelonanyoperatingsystembyfollowingthesesteps:1.InstallPHPandrequiredextensionslikembstring,openssl,andxmlusingtoolslikeXAMPPonWindows,HomebrewonmacOS,oraptonLinux;2.InstallComposer,usinganinstalleronWindowsorterminalcommandsonmac
How do I define methods (actions) in a controller?
Jun 14, 2025 am 12:38 AM
Defining a method (also known as an action) in a controller is to tell the application what to do when someone visits a specific URL. These methods usually process requests, process data, and return responses such as HTML pages or JSON. Understanding the basic structure: Most web frameworks (such as RubyonRails, Laravel, or SpringMVC) use controllers to group related operations. Methods within each controller usually correspond to a route, i.e. the URL path that someone can access. For example, there may be the following methods in PostsController: 1.index() – display post list; 2.show() – display individual posts; 3.create() – handle creating new posts; 4.u
How do I run tests in Laravel? (php artisan test)
Jun 13, 2025 am 12:02 AM
ToruntestsinLaraveleffectively,usethephpartisantestcommandwhichsimplifiesPHPUnitusage.1.Setupa.env.testingfileandconfigurephpunit.xmltouseatestdatabaselikeSQLite.2.Generatetestfilesusingphpartisanmake:test,using--unitforunittests.3.Writetestswithmeth
What are controllers in Laravel, and what is their purpose?
Jun 20, 2025 am 12:31 AM
The main role of the controller in Laravel is to process HTTP requests and return responses to keep the code neat and maintainable. By concentrating the relevant request logic into a class, the controller makes the routing file simpler, such as putting user profile display, editing and deletion operations in different methods of UserController. The creation of a controller can be implemented through the Artisan command phpartisanmake:controllerUserController, while the resource controller is generated using the --resource option, covering methods for standard CRUD operations. Then you need to bind the controller in the route, such as Route::get('/user/{id
How do I customize the authentication views and logic in Laravel?
Jun 22, 2025 am 01:01 AM
Laravel allows custom authentication views and logic by overriding the default stub and controller. 1. To customize the authentication view, use the command phpartisanvendor:publish-tag=laravel-auth to copy the default Blade template to the resources/views/auth directory and modify it, such as adding the "Terms of Service" check box. 2. To modify the authentication logic, you need to adjust the methods in RegisterController, LoginController and ResetPasswordController, such as updating the validator() method to verify the added field, or rewriting r
