DEV Community

Laravel API Authentication Using LARAVEL SANCTUM

shani singh on May 05, 2022

Make REST API AUTHENTICATION in LARAVEL 9 USING LARAVEL SANCTUM Laravel Sanctum provides a featherweight authentication system for SPAs ...

Read full post

Umar Adil • Nov 24 '22

Hi Shani, thanks for this tutorial. I want to list the all users I have in DB and don't want this API to be public. How do I secure this api using sanctum. To access this DB no user logs in becuase this api is used to select the users only.

shani singh • Dec 13 '22

You can write a new middleware or use Auth Gaurd for Securing the API.

Ahmad9250 • Jan 20 '23

Hi can you make an login page on Laravel blade template and login through API post method with same email and password that was saved in db

shani singh • Jan 27 '23

Hi @ahmad9250
You can connect me at my email shanisingh280795@gmail.com , We can discuss there.
Thanks

Muhammad Faisal • Oct 28 '22

Hey, good article short and concise!

But may I ask about other uses of this personal access token?
If I may, I will ask point by point if you are willing to enlighten me..

We always generate token with code createToken("API TOKEN")->plainTextToken and input it in database table personal_access_tokens when we login/register right?

1.1. So, is the use of auth:sanctum only to provide a limit on Route::middleware('auth:sanctum')->group(function () { }); ??
1.2. If not, what are the other uses of these personal_access_tokens?

After we successfully generate the token and send it as an authorization token in the header like in your Postman image, it will work and send the response as we want right?

2.1. If we send the wrong token code, this will give a response in the form of html code in Postman, which cannot be read in the API response. So, the question is how to check and provide a more understandable error response?

shani singh • Oct 28 '22

Hi
So use of Personal Access token is to identify users identity and based on that it gives you response, and to get JSON response you can define request type JSON then Laravel API will always give you JSON Response.
in Addition you can write exception handler condition and format the response as well.
hope this will clear your thoughts.

Muhammad Faisal • Nov 2 '22 • Edited

Whoa, thanks for the reply!
I've been trying for days to understand everything by reading the documentation from Laravel, also asking on Stackoverflow, but in the end I just understand that Personal Access Tokens are just User ID identifiers, and NOT work like a session security, right?

By the way, thanks for the explanation on the first point.

The second, thanks for pointing out about the json type acceptance and now i can json type message like this

Tanveer Qureshee • Nov 8 '22

Dear Shani singhn
First of all thank you for the great articles.

I have a question and if you can help me it will be great.
I am useing csrf-cookie base authentication not token based
But i am unable to test api from post man, or swagger due to header cookies check

have you any advice or solution for me?
Please reply me.

shani singh • Nov 15 '22

Hi Tanveer,
laravel.com/docs/9.x/sanctum#csrf-...

This can help you setting up csrf-cookie.
Thanks

Rama-Eisawi • Dec 31 '22

Hello, thank you so much
I code exactly like you, but this error is shown when I try the login query in postman:"message": "SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'tokenable_id' cannot be null"
please help me :(