Laravel API Auth with Sanctum and API Tokens
HTML-код
- Опубликовано: 6 июл 2024
- This is a free lesson from my upcoming course "How to Create Laravel API". We take a look at one of the ways to authenticate the API user - by issuing a long-term token which will be used in all the requests.
Subscribe for -50% discount for the upcoming course:
bit.ly/laravel-api-subscribe
- - - - -
Try our Laravel QuickAdminPanel: bit.ly/quickadminpanel
Enroll in my Laravel courses: laraveldaily.teachable.com 
Хобби
![Sean Rii, Karyon, Sharzkii - Taungule [My Love] (Official Music Video)](http://i.ytimg.com/vi/eJoMuypbSzQ/mqdefault.jpg)
Two days trying to understand it and suddenly this video saves my life in a few minutes.
Thank you.
Exactly :) Love this channel. I did a live stream yesterday about Sanctum for 1 hour and struggled with it. This helped me instantly.
Thankyou for your brief & clear explanation, straight to the point & solving my problem
Love your content
Just bought the course
All the best man
This was killing me with pain but just a minute you made my day happy DUDE
Great content as always ❤️
Thanks as always! Keep the hard work!
thank you so much your explanation so clear
If I use a "role abilities" approach (for the User model), the token ability can be bypassed or should that be considered a totally different type of authorization?
Thanks a lot, Povilas! You helped so many people. One question. What can be wrong with the following? I made everything according to this video, but in the very end when in the controller I try to use auth()->user()->tokenCan() it falls because auth()->user() is null. Maybe someone else here can know? My API controller cannot see the user.
Thank you. I was stuck on using a token from database which is encrypted? I guess. Did not realize I needed to use plaintext one.
Hey! Can you please validate the below? When using Sanctum API Tokens tokenCan() is used instead of Gates and can(). While when using Sanctum with Vue (for instance), Gates and can() are the ones used instead of tokenCan()? From what I understand, Sanctum SPA Auth makes use of Laravel Session, hence Gates are just natural to be used. While, Laravel API Tokens, is something else relying heavily on Token + Abilities. Thanks!
Sounds good !
Hi
I've protected my route with Sanctum API Token as you describe, but I've a question: when I call route internally, in my code with the 'name()' , I'd like to bypass the auth. What is the best practice?
Thank you.
another new thing that i learn..
In 5 minutes!!! Thou rockest !
super amazing!!!
What is the best way to protect Vue page with Sanctum?
do you have any guide to build portal website using laravel and connect to this api?
Awesome!
Is there a way where we can delete all tokens which are not used anymore using a scheduler?
Thank you in advance.
I would rather watch Laravel lessons than Gaming live streams🤣
And my lessons are shorter! :)
What's the sense of a "white list" of web tokens?
but anyone with access to the public SPA can look at the requests made vis the browser console and steal that bearer token. How is this secure?
I always follow your great tutorial videos. I learned lots of things from here. I developing a laravel vue spa project with laravel sanctum but when I Deploy my project on sub domain. I am getting 401 error. Can you please make a video on laravel sanctum project deploy on live server
I think the show function returns 403 status because token named categories-show is not made. Am I right?
Beautiful!, thanks a lot!
Great Tutorial. Is it possible to combine Sanctum API Tokens with Passport/JWT instead of Sanctum SPA Authentication ?
I've never heard/read of this hybrid approach, don't think it would work.
sir please help me i want to apply sanctum on my custom created model instead of user.php what I have to do kindly help me?
Sad that there is no refresh token functionality
First of all thanks for those awesome videos. But I have question how can we secure this token exposing from the frontend site or mobile auth?
use ssl (https) on the backend. That way every request is encrypted. If not, then someone could intercept the token using MITM technique.
@@silvanasauzana8693 thanks for your reply. But I am talking about securely save token in Storage or cookies. So that no one can steal token from browser
I found that Laravel Sanctum and Fortify documentation is very confusing. It's possible/can use Laravel Sanctum session guard to authenticate api.php route? and Forfity for api.php route?
Or we must use Laravel Sanctum Token to authentication api route, and we cannot use Forfity for api route?
great
how to make multi auth with sanctum or passport.
I think there is also another way to authenticate API which is using the Laravel Session cookies and like simple Web authentications.
My question is which one is better or I should use?
thanks in advance
You meant this? laravel.com/docs/8.x/sanctum#spa-authentication
Yes it works, it's your personal choice which one to use.
Thank you very much for this great video; finally I understand the Sanctum!
Could you explain what is the best practice to use 'tokenCan()' in combination with Gate and Policy?
I prefer spatie/laravel-permission
tokenCan is always giving true? Plz help
Povilas, what do u prefer? JWT or sanctum?
JWT is soooo 2018 :) But if you got used to it and you're happy with it, stick with JWT. But for everyone new to API Auth I totally recommend Sanctum.
@@PovilasKorop Thanks for your opinion :)
I am eagerly waiting for the course to release. Can you please tell us the estimated date for that?
Next week. I decided to spend more time on Auth section and do a bit more research, it took more time than I expected.
how to set the expire?
You can config it in sanctum.php file under config folder
the course has some examples on how to consume the api with some js framework or just has the examples of how to consume the endpoints with postman?
Mostly Postman, only one or two lessons is a demo of Vue.js, but just to show how it works with API, then we get back to endpoints. For JS framework usage with API, you can check out my other newer course "Vue.js + Laravel: CRUD with SPA" laraveldaily.teachable.com/p/vue-laravel-crud-spa
can you help me please? I'm gettin this error "Trait 'Laravel\Sanctum\HasApitokens' not found" eventhough i have install and import sanctum in user model. please anyone help me
HasApitokens - shouldn't the T be uppercase? HasApiTokens - maybe that is the reason?
Can you make a detailed video on OAuth what it is and what it will do?
I don't actively use OAuth, I prefer Laravel Sanctum for simplicity.
Lumen OAuth2 plis
I am using sanctum for authorization purpose only and handling permissions using spatie/permission. Is this the right way to do this?
Yes, totally. Sanctum is for Authentication, and for Authorization you can use same Sanctum abilities or something external like your middlewares, Gates or packages.
@@LaravelDaily , does you course contains videos about how to implement roles and permissions (spatie pkg or not)?
Because i had problems to use the spatie package with sanctum and i would be interested.
@@MaurizioCalarese I didn't plan that, because it depends on specific permission package/logic you want to use, but I guess it would be useful. Now, question - what kind of Sanctum you used? SPA Authentication or API Token?
@@PovilasKorop , thanks for your reply.
Yes, definitely would be useful, there are a lot of videos/tutorials about sanctum out there, but no one (at least I haven't found one) that shows how to implement with it existing solutions like spatie/permissions or that goes deeply into the argument (to setup sanctum is enough the official documentation, imho).
For my project, I'm using Sanctum with API token mode and I had to write roles and permissions from scratch, without all the nice and ready functionalities that the spatie package gives to us.
Anyway, the best solution would be a setup that works also with SPA mode, to speed up future projects.
Just an idea for a course/tutorial.
Ps. I appreciate & understand your good work.
@@MaurizioCalarese Well, here's where it gets confusing. So you used API token for a page that should have been a SPA? Specifically in Sanctum docs it is written: "You should not use API tokens to authenticate your own first-party SPA. Instead, use Sanctum's built-in SPA authentication."
So whatever tutorial/course I create, every project is almost individual for that type of project, so Sanctum/Passport, then inside of those - what type of tokens to use, and then on top - which roles/permissions logic/package.
So I can't publish any content that would suit ALL of those possible cases. For the API token case, I would use the same abilities parameters as I used in this video, without any spatie. But it also depends on the features of your project, how big it is, what are typical permissions etc.
The more I dive into this, the more I realize it's VERY individual, and I can only show people guidelines, or "my way" of doing it, but not help in everyone's situations.
Would you mind giving us a breif about your local env? it looks clean not like xampp
Laravel Valet on my Macbook
@@LaravelDaily Thanks sir
Please can you show us how to pass the json returned data in blade file
Why would you need that? Can you give an example?
@@PovilasKorop cause sometimes we need to pass data returned from Api to blade file
I don't understand why you have a json response for unathorized, but I have the HTML code of the page. What am I missing? been searching on google ofr more than 30 minutes without a solution
Header "accept: application/json"
@@LaravelDaily thanks. I figured that after when I decided to avoid looking on google and check postman’s options