Sohag's Notes

Introduction to Laravel Sanctum: Secure API Authentication Made Easy

Introduction to Laravel Sanctum: Secure API Authentication Made Easy

Sohag Hasan's photo
Sohag Hasan
·

5 min read

Table of contents

Introduction:

Authentication is a crucial aspect of any web application, especially when building APIs that need to be secure and protect sensitive data. Laravel, one of the most popular PHP web frameworks, provides several authentication packages to make implementing authentication easy and efficient. Laravel Sanctum is one such package that provides a simple and secure way to authenticate API requests. In this blog post, we will explore the features of Laravel Sanctum, how it works, and how to use it in your Laravel applications.

What is Laravel Sanctum?

Laravel Sanctum is an official Laravel package that provides a simple and easy-to-use API authentication solution for Laravel applications. It allows you to authenticate API requests using tokens, cookies, or session-based authentication, making it flexible and versatile for different use cases. Laravel Sanctum is built on top of Laravel's existing authentication system and provides a seamless way to secure your API endpoints and protect your application's resources.

Why Use Laravel Sanctum?

Laravel Sanctum offers several benefits for authentication in Laravel applications:

  1. Secure and Simple: Laravel Sanctum provides a secure way to authenticate API requests without the complexity of traditional authentication methods. It allows you to authenticate requests using tokens, cookies, or session-based authentication, depending on your application's requirements.

  2. Built-in Cross-Origin Resource Sharing (CORS) Support: Laravel Sanctum automatically handles CORS for you, making it easy to authenticate API requests from different domains or origins. It provides a simple way to configure and control CORS settings for your application.

  3. Customizable Authentication Flow: Laravel Sanctum allows you to customize the authentication flow based on your application's needs. You can choose to authenticate requests using tokens, cookies, or session-based authentication, and configure the authentication middleware accordingly.

  4. Laravel Ecosystem Integration: Laravel Sanctum integrates seamlessly with other Laravel packages and features, such as Laravel's built-in authentication system, Laravel Passport for OAuth2 authentication, and Laravel's middleware and routing system.

  5. Fine-grained Authentication Control: Laravel Sanctum provides fine-grained control over authentication, allowing you to specify which routes or endpoints should require authentication and which ones should be public. This gives you flexibility in managing authentication requirements for different parts of your application.

Behind the Scenes:

How Laravel Sanctum Works Laravel Sanctum uses a token-based authentication system to authenticate API requests. When a user logs in or registers in your Laravel application, Laravel Sanctum generates a unique token for that user. This token is then attached to subsequent API requests as an authorization header or a cookie, allowing Laravel to verify the authenticity of the request.

Laravel Sanctum also provides middleware that can be used to protect your API routes. The middleware checks for the presence of a valid token in the request, and if the token is valid, the request is allowed to proceed. If the token is invalid or missing, the middleware returns an appropriate response, indicating that the request is unauthorized.

How to Use Laravel Sanctum in Your Laravel Application

Using Laravel Sanctum in your Laravel application is easy and straightforward. Here's a step-by-step guide on how to get started:

Step 1:

Install Laravel Sanctum You can install Laravel Sanctum using Composer, the package manager for PHP:

composer require laravel/sanctum

Step 2:

Publish Sanctum Configuration After installing the Sanctum package, you need to publish the configuration file to configure the package according to your needs. You can do this by running the following command:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

This will publish the configuration file to your Laravel application, allowing you to customize the authentication settings.

Step 3:

Configure Sanctum Middleware Next, you need to configure the Sanctum middleware in your Laravel application. You can do this by adding the EnsureFrontendRequestsAreStateful middleware to the $middlewareGroups property in your app/Http/Kernel.php file:

protected $middlewareGroups = [
    // ...
    'api' => [
        \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        // ...
    ],
];

This middleware ensures that requests coming from your frontend application are stateful and can be authenticated using cookies or session-based authentication.

Step 4:

Generate Sanctum API Tokens To generate API tokens for your users, you can use Laravel Sanctum's built-in HasApiTokens trait. You can add this trait to your User model or any other model that you want to authenticate:

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens;
    // ...
}

This trait provides methods to generate, retrieve, and revoke API tokens for users. You can use these methods in your authentication logic to manage API tokens for your users.

Step 5:

Protect Your API Routes with Sanctum Middleware Once you have configured Sanctum and generated API tokens for your users, you can start protecting your API routes with the Sanctum middleware. You can do this by adding the auth:sanctum middleware to your routes or route groups:

Route::middleware(['auth:sanctum'])->group(function () {
    // Your protected routes here
});

This middleware ensures that the request is authenticated using Sanctum's token-based authentication system before allowing access to the protected routes. If the request does not contain a valid token or is not authenticated, Laravel will return an appropriate response indicating that the request is unauthorized.

Step 6:

Authenticating API Requests To authenticate API requests using Laravel Sanctum, you can send the token as an authorization header or as a cookie in your API requests. For example, you can send the token in the Authorization header like this:

Authorization: Bearer <api_token>

Or you can send the token as a cookie with the name laravel_session:

laravel_session=<api_token>

Laravel Sanctum will automatically validate the token and authenticate the request if the token is valid.

Conclusion

Laravel Sanctum is a powerful and easy-to-use authentication package for Laravel applications. It provides a simple and secure way to authenticate API requests using tokens, cookies, or session-based authentication. With its seamless integration with other Laravel features and customization options, Laravel Sanctum offers a robust solution for securing your API endpoints and protecting your application's resources. By following the steps outlined in this blog post, you can easily implement Laravel Sanctum in your Laravel applications and ensure secure API authentication. Happy coding!

PHPauthenticationLaravelLaravel Sanctum