Laravel Sanctum 和Laravel Passport 是用於API 認(rèn)證的兩種工具，適用於不同場(chǎng)景。 1. Sanctum 更簡(jiǎn)單輕量，適合SPAs、移動(dòng)應(yīng)用及基礎(chǔ)令牌認(rèn)證；2. Passport 是完整的OAuth2 服務(wù)器，支持第三方訪問(wèn)令牌、令牌撤銷和精細(xì)的作用域控制。若需OAuth2 功能則使用Passport，否則Sanctum 更合適。兩者設(shè)置流程不同：Sanctum 需安裝、發(fā)布配置、運(yùn)行遷移、更新用戶模型並添加中間件，通過(guò)createToken 方法生成令牌；Passport 則需安裝、運(yùn)行遷移、執(zhí)行passport:install 命令、更新用戶模型並註冊(cè)路由。選擇時(shí)應(yīng)根據(jù)項(xiàng)目需求判斷是否需要OAuth2 的高級(jí)功能。

When building APIs with Laravel, securing them properly is crucial—especially if they're consumed by mobile apps or SPAs (Single Page Applications). Two common tools for this are Laravel Sanctum and Laravel Passport. Both can handle authentication, but they serve different use cases and have distinct setups.

Understanding the Differences: Sanctum vs. Passport

Laravel Sanctum and Passport both provide API authentication, but their approach is quite different.

• Sanctum is simpler and lightweight. It's great for SPAs, mobile apps, and simple token-based authentication.
• Passport is a full OAuth2 server, which means it supports more complex scenarios like third-party access tokens, token revocation, and granular scopes.

If you don't need full OAuth2 features, Sanctum is usually enough—and easier to set up.

Setting Up Sanctum in Your Laravel API

To secure your Laravel API with Sanctum, follow these steps:

1. Install Sanctum : Run composer require laravel/sanctum and publish the config file using php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider" .

2. Run Migrations : Sanctum needs a table to store tokens, so run php artisan migrate .

3. Update User Model : Add the HasApiTokens trait to your User model ( use Laravel\Sanctum\HasApiTokens; ).

4. Configure Middleware : In app/Http/Kernel.php , make sure \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class is added to the api middleware group.

5. Create Tokens : Use $user->createToken('token-name') to generate tokens. Return that token to the client after login.

6. Protect Routes : Use the auth:sanctum guard to protect your API routes.

One thing to note: Sanctum tokens don't expire by default. If you want short-lived tokens, enable that in the config and manage refresh logic on the client side.

How to Secure APIs Using Laravel Passport

If your app needs OAuth2 functionality (like allowing third-party services to authenticate), Passport is the better choice.

Here's how to get started:

• Install Passport : Run composer require laravel/passport and then php artisan migrate .
• Install JavaScript Dependencies : Run npm install passport passport-http-bearer if you're using Node.js for frontend.
• Run Passport Install Command : Execute php artisan passport:install . This generates encryption keys and creates OAuth clients needed for issuing tokens.
• Update User Model : Add the HasApiTokens trait from Passport and use the Laravel\Passport\HasApiTokens namespace.
• Add Passport Routes : In your AuthServiceProvider , call Passport::routes() inside the boot method.
• Set Auth Guard : In config/auth.php , set the api driver to passport .

With Passport, you can issue long-lived tokens, revoke them, and even allow users to grant access to third-party apps. However, this also adds complexity—so only go this route if you really need those features.

Choosing Between Sanctum and Passport

The decision really comes down to your project's requirements.

• Go with Sanctum if:

  • You're building a SPA or mobile app.
  • You don't need OAuth2 features like scopes or third-party access.
  • Simplicity and speed of setup matter.

• Choose Passport if:

  • You need full OAuth2 support.
  • You're planning to offer an API for third-party developers.
  • Token management beyond basic auth is required.

Both tools work well, but mixing them isn't recommended unless you have a very specific reason to do so.

Basically, start with Sanctum unless you know you'll need Passport's extra capabilities.

以上是用聖所或護(hù)照身份驗(yàn)證確保Laravel API的詳細(xì)內(nèi)容。更多資訊請(qǐng)關(guān)注PHP中文網(wǎng)其他相關(guān)文章！