Laravel Sanctum API Tokens

2 min read

Laravel Sanctum provides lightweight API token authentication for SPAs, mobile apps, and simple token-based APIs.

1 - Installation

composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate

2 - Issuing Tokens

use App\Models\User;
use Illuminate\Http\Request;

// Login endpoint
Route::post('/tokens/create', function (Request $request) {
    $request->validate(['email' => 'required|email', 'password' => 'required']);

    $user = User::where('email', $request->email)->first();

    if (! $user || ! Hash::check($request->password, $user->password)) {
        return response()->json(['message' => 'Invalid credentials'], 401);
    }

    $token = $user->createToken('api-token', ['read', 'write'])->plainTextToken;

    return response()->json(['token' => $token]);
});

3 - Protecting API Routes

// routes/api.php
Route::middleware('auth:sanctum')->group(function () {
    Route::get('/user', fn (Request $request) => $request->user());
    Route::apiResource('posts', PostController::class);
});

4 - Revoking Tokens

// Revoke the current token
$request->user()->currentAccessToken()->delete();

// Revoke all tokens (logout from all devices)
$request->user()->tokens()->delete();

$Laravel {"id":53,"topic_id":1,"name":"Authentication & Authorization","slug":"authentication-authorization","image":null,"description":"<p>Learn how to authenticate users and control access to resources using Laravel's built-in auth tools.<\/p>","icon":null,"class":null,"color":null,"status":0,"order":6,"created_at":"2026-05-03T18:51:15.000000Z","updated_at":"2026-05-03T18:51:15.000000Z"} - List of Contents$

Learn Laravel

Introduction

Installation and Setup

Configuration

Routing and Controllers

Views & Blade Templates

Database & Eloquent ORM

Forms & Validation

Authentication & Authorization

Artisan & Console

Testing in Laravel

Laravel More Contents