Building Scalable APIs with Laravel Sanctum

Laravel Sanctum provides a featherweight authentication system for SPAs, mobile applications, and simple, token-based APIs. Let's explore how to build secure and scalable APIs.

Installation and Setup

First, install Sanctum via Composer:

composer require laravel/sanctum
Copy

Publish the Sanctum configuration and migration files:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate
Copy

API Token Authentication

Sanctum allows you to issue API tokens to your users without the complexity of OAuth:

// Generate a token
$token = $user->createToken('api-token')->plainTextToken;

// Use the token in requests
$response = Http::withToken($token)->get('/api/user');
Copy

SPA Authentication

For single-page applications, Sanctum uses Laravel's built-in cookie-based session authentication:

// In your SPA, first get a CSRF cookie
await axios.get('/sanctum/csrf-cookie');

// Then make authenticated requests
await axios.post('/login', credentials);
Copy

Protecting Routes

Use Sanctum's middleware to protect your API routes:

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});
Copy

Token Abilities

You can assign specific abilities to tokens:

$token = $user->createToken('api-token', ['read', 'write']);

// Check abilities in middleware
Route::middleware(['auth:sanctum', 'ability:read'])->get('/posts', [PostController::class, 'index']);
Copy

Sanctum makes API authentication simple yet powerful!