Laravel Sanctum
Lightweight authentication system for Laravel — provides API token authentication for SPAs, mobile apps, and simple token-based APIs. Sanctum features: personal access tokens (opaque bearer tokens stored hashed in personal_access_tokens table), SPA authentication (cookie-based session auth for same-domain SPAs, no tokens needed), token abilities (fine-grained scopes: agent:read, agent:create), token expiration, and the HasApiTokens trait for User model. Simpler alternative to Passport (OAuth2) — no OAuth server overhead. `$token = $user->createToken('agent-client', ['agent:read', 'agent:create'])->plainTextToken` generates token. Middleware: auth:sanctum validates Bearer token for agent API.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Sanctum tokens are hashed in database (SHA-256) — cannot be recovered if database is compromised. Implement HTTPS-only for agent token transmission. Set token expiration via sanctum.expiration config. Implement rate limiting on token generation endpoint to prevent agent token flooding. Store agent tokens in client-side secure storage (iOS Keychain, Android KeyStore, browser storage with XSS protection).
⚡ Reliability
Best When
Your Laravel agent service needs API token authentication for your own first-party apps, CLI tools, or SPA — Sanctum provides simple, secure token management without OAuth2 complexity.
Avoid When
You need OAuth2 authorization server for third-party apps, SSO, or JWT tokens with embedded claims.
Use Cases
- • Agent API token generation — $user->createToken('agent-platform-cli', ['agent:read', 'agent:deploy'])->plainTextToken returns token for agent CLI authentication; token abilities restrict agent operations to declared permissions
- • SPA agent dashboard authentication — Sanctum cookie auth for React/Vue agent dashboard on same domain; CSRF token endpoint (/sanctum/csrf-cookie) enables cookie-based auth without token management in agent SPA
- • Mobile agent app token management — user creates named token per device ($user->createToken('iPhone 15')); tokens listed and revocable in agent account settings; user revokes compromised device tokens without affecting other sessions
- • Agent API token abilities — $request->user()->tokenCan('agent:delete') checks if agent API token has delete ability before destructive operations; granular agent permission control per token issuance
- • Agent API integration testing — Sanctum::actingAs($user, ['agent:read']) in tests authenticates as user with specific token abilities; no real token generation needed for agent API integration tests
Not For
- • Third-party OAuth authorization — Sanctum issues tokens for your own apps and users; for allowing third-party services to authorize as your agent platform users via OAuth2 flows, use Laravel Passport
- • Federated identity (SSO) — Sanctum doesn't handle SAML, OIDC, or SSO; for enterprise agent platform SSO, use Laravel Passport or Socialite with OIDC provider
- • High-security token requirements — Sanctum tokens are opaque bearer tokens; for agent APIs requiring JWT with embedded claims (offline validation), use custom JWT implementation or Passport with JWT
Interface
Authentication
Sanctum provides the auth mechanism. Bearer tokens via Authorization header; cookie auth for SPA. Token abilities are custom scopes defined by application.
Pricing
Laravel Sanctum is MIT licensed, maintained by Laravel team. Free for all use.
Agent Metadata
Known Gotchas
- ⚠ api guard vs sanctum guard — using 'middleware(auth:api)' instead of 'middleware(auth:sanctum)' uses different guard; Sanctum tokens are validated by auth:sanctum middleware, not auth:api; agent routes protected with wrong guard always return 401 even with valid Sanctum tokens
- ⚠ SPA CSRF requires same domain or trusted origin config — Sanctum SPA auth only works when frontend and API share same domain or domain in sanctum.stateful_domains config; cross-domain agent SPAs fall back to token auth; missing domain configuration causes 401 for all SPA agent requests despite valid session
- ⚠ Token hashing means plaintext shown once only — $user->createToken('name')->plainTextToken is the only time plaintext is available; Sanctum stores SHA-256 hash; agent clients must save token immediately; lost token requires revoke and reissue; no way to retrieve original token after creation
- ⚠ Token abilities not enforced automatically — tokenCan('agent:delete') must be called explicitly in controller; Sanctum middleware (auth:sanctum) validates token exists and isn't expired but doesn't check abilities; omitting ability check in agent controller action bypasses ability-based access control even with scoped tokens
- ⚠ Multiple tokens per user requires token management UI — users can create unlimited tokens; without token listing and revocation UI ($user->tokens()->get()), users cannot manage compromised agent API tokens; implement token management for agent platform users to list devices/apps and revoke access
- ⚠ Expiration requires configured pruning — Sanctum token expiration (sanctum.expiration config in minutes) marks tokens expired but doesn't delete them; expired tokens remain in database until manually pruned; schedule $schedule->command('sanctum:prune-expired --hours=24') to remove expired agent tokens
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Laravel Sanctum.
Scores are editorial opinions as of 2026-03-06.