Laravel Sanctum is a package that provides a lightweight authentication system for single-page applications (SPA), mobile applications, and simple, token-based APIs.
As of the latest version of Laravel (8.x) which includes Sanctum (2.x), it provides the following methods:
- Auth::user() – Retrieves the currently authenticated user.
- Auth::id() – Retrieves the ID of the currently authenticated user.
- Auth::guard($guard)->user() – Retrieves the currently authenticated user for a specific guard.
- Auth::guard($guard)->id() – Retrieves the ID of the currently authenticated user for a specific guard.
- Request::user() – Retrieves the currently authenticated user from the HTTP request.
- Request::bearerToken() – Retrieves the bearer token from the HTTP request.
HasApiTokens Trait:
Adds methods to the User model for creating and managing API tokens.
These methods are used for authenticating and managing user sessions and tokens in a Laravel application that uses Sanctum.
Laravel Sanctum provides additional functionality and methods for managing API tokens and authentication, including:
- Laravel\Sanctum\HasApiTokens trait – Adds methods to the User model for creating and managing API tokens.
- createToken($name, $abilities = [‘*’]) – Creates a new API token for the authenticated user with the given name and abilities.
- tokens() – Retrieves all of the API tokens associated with the authenticated user.
- token() – Retrieves the current API token associated with the authenticated user.
- withAccessToken($token) – Sets the API token to be used for the current request.
- tokenCan($ability) – Determines if the current API token has the given ability.
- check($token) – Determines if the given API token is valid and associated with a user.
- forget($token) – Revokes the given API token.
- flush() – Revokes all of the API tokens associated with the authenticated user.
These methods can be used to manage and authenticate API tokens in a Laravel Sanctum application.
Laravel Sanctum provides additional methods for handling authentication and authorization for SPA applications and mobile applications, including:
- createToken($name, $abilities = [‘*’]) – Creates a new personal access token for the authenticated user with the given name and abilities.
- abilities() – Retrieves all of the abilities associated with the authenticated user.
- tokenFor($user, $name, $abilities = [‘*’]) – Creates a new personal access token for the given user with the given name and abilities.
- can($ability) – Determines if the authenticated user has the given ability.
These methods are used to authenticate and authorize users in SPA and mobile applications that use Sanctum. They provide a simple and secure way to manage user sessions and access to protected resources in a Laravel application.
In addition to the methods listed earlier,
Laravel Sanctum also provides a few middleware classes to manage authentication and authorization for API requests:
- EnsureFrontendRequestsAreStateful: Allows stateful CSRF protection for SPA applications.
- EnsureFrontendRequestsAreAuthenticated: Verifies that the incoming request is authenticated.
- EnsureFrontendRequestsAreAuthorized: Verifies that the incoming request is authorized to perform the requested action.
These middleware classes are typically used to protect routes that are accessed via API requests in a Laravel application that uses Sanctum for authentication and authorization. They help to ensure that API requests are properly authenticated and authorized, and prevent unauthorized access to protected resources.
Laravel Sanctum also provides the following configuration options in the config/sanctum.php file:
- stateful – Determines if CSRF tokens should be issued for SPA applications.
- expiration – Determines the lifetime (in seconds) of API tokens.
- middleware – Determines the middleware that should be applied to routes protected by Sanctum.
These configuration options can be used to customize the behavior of Sanctum in a Laravel application, such as changing the expiration time of API tokens or enabling or disabling stateful CSRF protection for SPA applications.
In addition, Laravel Sanctum provides a set of customizable views that can be published using the php artisan vendor:publish –tag=sanctum-views command. These views allow developers to customize the HTML and CSS of the authentication pages that are presented to users when they log in or register with a Sanctum-powered application.
Another feature provided by Laravel Sanctum is the ability to create temporary tokens with an expiration time.
Temporary tokens are useful when you need to grant temporary access to resources or services, such as granting access to an API for a limited time or allowing a user to access a resource for a limited duration.
To create a temporary token, you can use the temporaryToken method on the Laravel\Sanctum\HasApiTokens trait:
$user = User::find(1);
// Create a temporary token that expires in 5 minutes
$token = $user->temporaryToken(5);
// Use the temporary token to make API requests
$response = Http::withToken($token)->get('https://example.com/api/resource');
In this example, a temporary token is created with a lifespan of 5 minutes using the temporaryToken method on the User model. The temporary token can then be used to make authenticated requests to the API.
Once the token expires, it will no longer be valid and cannot be used to access protected resources. This feature provides a simple and secure way to grant temporary access to resources in a Laravel application using Sanctum.