Laravel Sanctum menyediakan sistem autentikasi ringan untuk SPA (Single Page Application) dan mobile API.
Dua Mode Sanctum
SPA Authentication (Cookie-based) Untuk SPA yang hosted di domain sama dengan API:
Menggunakan cookie session standar Laravel
CSRF protection otomatis
Lebih aman dari token di localStorage
API Token Authentication Untuk mobile app atau aplikasi pihak ketiga:
Token disimpan dan dikirim di header
Bisa batasi kemampuan token (abilities)
Setup Sanctum
composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrateTambahkan Trait ke User Model
use Laravel\Sanctum\HasApiTokens;
class User extends Authenticatable { use HasApiTokens, HasFactory, Notifiable; }
Login dan Issue Token
public function login(Request $request): JsonResponse
{
$credentials = $request->validate([
'email' => ['required', 'email'],
'password' => ['required'],
]);
if (! Auth::attempt($credentials)) { return response()->json(['message' => 'Invalid credentials'], 401); }
$user = Auth::user(); $token = $user->createToken('mobile-app', ['read', 'write'])->plainTextToken;
return response()->json(['token' => $token]); }
Protected Route
Route::middleware('auth:sanctum')->group(function () {
Route::get('/user', fn (Request $r) => $r->user());
Route::apiResource('notes', NoteController::class);
});