{"flag":true,"single":true,"pageTitle":"LARAVEL API using Sanctum","post":{"id":255,"user_id":"1","slug":"laravel-api-using-sanctum-t4c5","title":"LARAVEL API using Sanctum","body":"

Packages used to create api are 1. sanctum <\/strong>and 2. Passport <\/strong>we will use sanctum in this guide.<\/p>\r\n

Laravel Sanctum provides a featherweight authentication system. IT solve two separate problems.<\/strong><\/p>\r\n

    \r\n
  1. API TOKENS
    <\/strong>First, issue API tokens to your users without the complication of OAuth. It store user API tokens in a single database table<\/strong> and authenticating incoming HTTP requests via the Authorization header <\/strong>which should contain a valid API token. So user need to generate a token to use API<\/li>\r\n
  2. SPA Authentication:: 
    <\/strong>https:\/\/laravel.com\/docs\/11.x\/sanctum#spa-authentication
    <\/strong><\/li>\r\n<\/ol>\r\n

    How sanctum works:
    If login cred are correct it save a token in database and return to user, user need to send that token with every request <\/p>\r\n

    Installation:<\/strong><\/p>\r\n

    php artisan install:api<\/code><\/pre>\r\n
    OR<\/p>\r\n
    composer require laravel\/sanctum\r\nphp artisan vendor:publish --provider=\"Laravel\\Sanctum\\SanctumServiceProvider\"<\/code><\/pre>\r\n
    after installation run below command to add new database table personal_access_tokens<\/strong><\/p>\r\n
    php artisan migrate<\/code><\/pre>\r\n
    Set Up Sanctum Middleware:<\/strong><\/p>\r\n
     For APIs, you should add Sanctum's middleware to your api middleware group in app\/Http\/Kernel.php:<\/strong><\/p>\r\n
    'api' => [\r\n    \\Laravel\\Sanctum\\Http\\Middleware\\EnsureFrontendRequestsAreStateful::class,\r\n    'throttle:api',\r\n    \\Illuminate\\Routing\\Middleware\\SubstituteBindings::class,\r\n],<\/code><\/pre>\r\n
    Add Sanctum's Middleware to API Authentication:<\/strong> If you are using Sanctum to protect API routes, update the api guard inside your config\/auth.php<\/strong> file:<\/p>\r\n
    'guards' => [\r\n    'api' => [\r\n        'driver' => 'sanctum',\r\n        'provider' => 'users',\r\n        'hash' => false,\r\n    ],\r\n],\r\n<\/code><\/pre>\r\n
     Now, you can use Sanctum to issue tokens or authenticate API requests using tokens.<\/p>\r\n
     <\/p>\r\n
    To issuing tokens for users, your User model should use the Laravel\\Sanctum\\HasApiTokens<\/strong> trait:<\/p>\r\n
    \/\/Models\/User.php\r\nuse Laravel\\Sanctum\\HasApiTokens;\r\nclass User extends Authenticatable\r\n{\r\n    use HasApiTokens, HasFactory, Notifiable;\r\n}<\/code><\/pre>\r\n
    To issue a token, you may use the createToken <\/strong>method. API tokens (SHA-256) hashing before being stored in your database, but you may access the plain-text value of the token using the plainTextToken <\/strong>property of the NewAccessToken instance. You should display this value to the user immediately after the token has been created:<\/p>\r\n
    use Illuminate\\Http\\Request;\r\nRoute::post('\/tokens\/create', function (Request $request) {\r\n    $token = $request->user()->createToken($request->token_name);\r\n \r\n    return ['token' => $token->plainTextToken];\r\n});\r\n\r\n\/\/if user is authenticated show him token<\/code><\/pre>\r\n
    ACCESS TOKENS:<\/strong><\/p>\r\n
    foreach ($user->tokens as $token) {\r\n    \/\/ ...\r\n}\r\n\/\/ OR  FIND A SINGLE USER THEN\r\n$user->tokens()<\/code><\/pre>\r\n
    Token Abilities<\/strong><\/p>\r\n
    xd learn it <\/p>\r\n
    Protecting Routes<\/strong><\/p>\r\n
    To protect routes so that all incoming requests must be authenticated, you should attach the sanctum<\/code> authentication guard <\/p>\r\n
    use Illuminate\\Http\\Request;\r\nRoute::get('\/user', function (Request $request) {\r\n    return $request->user();\r\n})->middleware('auth:sanctum');<\/code><\/pre>\r\n
    Revoking Tokens<\/strong><\/p>\r\n
    You may \"revoke\" tokens by deleting them from your database using the tokens relationship<\/p>\r\n
    \/\/ Revoke all tokens...\r\n$user->tokens()->delete();\r\n \r\n\/\/ Revoke the token that was used to authenticate the current request...\r\n$request->user()->currentAccessToken()->delete();\r\n \r\n\/\/ Revoke a specific token...\r\n$user->tokens()->where('id', $tokenId)->delete();<\/code><\/pre>\r\n
    Token expiration add:<\/strong><\/p>\r\n
    If you would like to specify the expiration time of each token independently, you may do so by providing the expiration time as the third argument to the createToken method:<\/p>\r\n
    return $user->createToken(\r\n    'token-name', ['*'], now()->addWeek()\r\n)->plainTextToken;<\/code><\/pre>\r\n
     <\/p>\r\n
    A MINI EXAMPLE:<\/strong><\/p>\r\n
    Make controller<\/strong><\/p>\r\n
    php artisan make:controller AuthController<\/code><\/pre>\r\n
    <?php\r\nnamespace App\\Http\\Controllers;\r\nuse Illuminate\\Http\\Request;\r\nuse Illuminate\\Support\\Facades\\Auth;\r\nuse App\\Models\\User;\r\n\r\nclass AuthController extends Controller\r\n{\r\n    \/\/ Method for user login and issuing a token\r\n    public function login(Request $request)\r\n    {\r\n        $credentials = $request->validate([\r\n            'email' => 'required|email',\r\n            'password' => 'required'\r\n        ]);\r\n\r\n        if (Auth::attempt($credentials)) {\r\n            $user = Auth::user();\r\n            $token = $user->createToken('API Token ETC')->plainTextToken;\r\n\r\n            return response()->json([\r\n                'message' => 'Login successful',\r\n                'token' => $token\r\n            ], 200);\r\n        }\r\n\r\n        return response()->json([\r\n            'message' => 'Invalid credentials'\r\n        ], 401);\r\n    }\r\n    \/\/ Method to log out the user and revoke the token\r\n    public function logout(Request $request)\r\n    {\r\n        \/\/ Revoke all tokens...\r\n        $request->user()->tokens()->delete();\r\n        return response()->json([\r\n            'message' => 'Logged out successfully'\r\n        ], 200);\r\n    }\r\n    \/\/ Method to get the authenticated user details\r\n    public function user(Request $request)\r\n    {\r\n        return response()->json($request->user());\r\n    }\r\n}<\/code><\/pre>\r\n
    Routes\\api.php<\/strong><\/p>\r\n
    use App\\Http\\Controllers\\AuthController;\r\n\/\/ Public route for login\r\nRoute::post('\/login', [AuthController::class, 'login']);\r\n\r\n\/\/ Protected routes\r\nRoute::middleware('auth:sanctum')->group(function () {\r\n    Route::post('\/logout', [AuthController::class, 'logout']);\r\n    Route::get('\/user', [AuthController::class, 'user']);\r\n});\r\n<\/code><\/pre>\r\n
    Send a POST request to \/api\/login<\/strong> with email and password. If successful, it will return a token.<\/p>\r\n
     <\/p>","category_id":"2","is_private":"0","created_at":"2024-09-04T12:38:21.000000Z","updated_at":"2024-09-04T22:31:33.000000Z","category":{"id":2,"user_id":"1","name":"Laravel Core","slug":"laravel-nhyt","parent_id":"1","created_at":"2023-03-14T03:58:27.000000Z","updated_at":"2023-03-20T11:30:50.000000Z"},"user":{"id":1,"name":"R GONDAL","email":"rizikmw@gmail.com","email_verified_at":null,"two_factor_confirmed_at":null,"current_team_id":"1","profile_photo_path":null,"created_at":"2023-03-12T10:49:33.000000Z","updated_at":"2025-01-10T12:59:00.000000Z","profile_photo_url":"https:\/\/ui-avatars.com\/api\/?name=R+G&color=7F9CF5&background=EBF4FF"}},"pageDesc":"Packages used to create api are 1. sanctum and 2. Passport we will use sanctum in this guide. Laravel Sanctum provides a featherweight authe - LARAVEL API using Sanctum (Updated: September 4, 2024) - Read more about LARAVEL API using Sanctum at my programming site [SITE]","categories":[]}