PHP Development | Tutorial 17 | Laravel Passport vs Sanctum

by | Oct 15, 2025 | PHP Development, Web App Development | 0 comments

PHP Development Tutorial 17 Laravel Passport vs Sanctum_WebAppRater

Introduction

When building APIs in Laravel, one of the most important decisions is how to authenticate users. Laravel provides two official packages: Passport and Sanctum. Both handle API authentication, but they serve different use cases.

In interviews, you might be asked: “When should you use Passport vs Sanctum?” or “How does token authentication work in Laravel?” This article breaks it down clearly.

Why API Authentication Matters

Unlike traditional web apps that use sessions & cookies, APIs often serve stateless clients like mobile apps, SPAs (React, Vue, Angular), or third-party integrations. Authentication needs to:

  • Verify who the user is.
  • Provide secure access tokens.
  • Work across different platforms.

Laravel Sanctum

Sanctum is a lightweight authentication package for:

  • Single Page Applications (SPAs).
  • Mobile applications.
  • Simple token-based APIs.

How Sanctum Works

  • Provides API tokens that can be issued per user.
  • Can manage multiple tokens (e.g., mobile, web, IoT).
  • Tokens can have abilities/permissions.

Example: Issuing a Token

$user = User::find(1);
$token = $user->createToken('mobile-app')->plainTextToken;

👉 Returns a string token you can store in your mobile app.

Protecting Routes with Sanctum

Route::middleware('auth:sanctum')->get('/profile', function (Request $request) {
    return $request->user();
});

Laravel Passport

Passport is a full OAuth2 implementation for Laravel. It’s designed for enterprise-level apps where you need advanced authentication flows.

Passport Features

  • Implements full OAuth2 server.
  • Supports Authorization Code Grant, Client Credentials, Password Grant.
  • Useful for third-party applications that need access to your API.

Example: Password Grant Tokens

php artisan passport:install

Controller:

public function login(Request $request) {
    $http = new \GuzzleHttp\Client;

    $response = $http->post('http://your-app.com/oauth/token', [
        'form_params' => [
            'grant_type' => 'password',
            'client_id' => 'client-id',
            'client_secret' => 'client-secret',
            'username' => $request->email,
            'password' => $request->password,
        ],
    ]);

    return json_decode((string) $response->getBody(), true);
}

👉 Passport is heavier but necessary for complex, multi-client ecosystems.

Sanctum vs Passport: Comparison Table

Feature Sanctum Passport
Use Case SPAs, mobile apps, simple APIs Enterprise apps, OAuth2, 3rd party
Complexity Lightweight, easy to set up Heavier, requires OAuth2 setup
Token Type Personal access tokens OAuth2 access tokens
Multiple Clients Yes (tokens per device/app) Yes (OAuth2 client IDs)
Best For In-house apps (your frontend + API) APIs shared with external apps
Setup Few Artisan commands Requires installing Passport + migrations

When to Use Which?

Use Sanctum if:

  • You’re building a SPA (Vue, React, Angular).
  • You’re building a mobile app with your own backend.
  • You just need simple token authentication.

Use Passport if:

  • You need full OAuth2 compliance.
  • You’re exposing APIs to third-party developers.
  • You need advanced flows (authorization code, client credentials).

Common Beginner Mistakes

  • Using Passport when Sanctum would be enough (adds unnecessary complexity).
  • Forgetting to protect routes with auth:sanctum or auth:api.
  • Mixing session-based authentication with token-based APIs.
  • Storing tokens insecurely in localStorage (instead of secure storage on mobile).

Sample Interview Questions & Answers

Q: What’s the difference between Laravel Passport and Sanctum?
A: Sanctum is for simple API tokens and SPAs. Passport is a full OAuth2 server for enterprise apps with complex auth flows.

Q: When should you use Sanctum instead of Passport?
A: When building your own SPA or mobile app where you don’t need OAuth2 complexity.

Q: Can Sanctum issue multiple tokens per user?
A: Yes, each device or app can have its own token with abilities.

Q: What’s the benefit of Passport?
A: Provides OAuth2 flows like authorization code grant, useful when external apps need access.

Q: What middleware is used for Sanctum APIs?
A: auth:sanctum.

Q: Is Sanctum more lightweight than Passport? Why?
A: Yes—because Sanctum only provides simple token-based auth, while Passport implements the full OAuth2 protocol.

Mini Project Idea

👉 Build a Notes App API:

  • Use Sanctum for mobile app login & token authentication.
  • Use Passport to allow third-party integrations (e.g., another app can fetch a user’s notes with permission).
  • Demonstrate why different apps need different auth methods.

Closing Note

Both Sanctum and Passport are powerful, but they serve different purposes. Sanctum is great for in-house apps (your frontend + backend). Passport is for enterprise-level, OAuth2-compliant APIs.

Laravel Framework Mastery

Laravel Validation & Form Requests
→ Ensure secure and reliable user input by leveraging Laravel’s robust validation rules and custom form request classes

Laravel Authentication & Authorization
→ Secure your web applications effortlessly by implementing Laravel’s robust authentication and authorization features for users and roles

Laravel as an API Backend
→ Build powerful, scalable APIs with Laravel, leveraging routes, controllers, and resources for seamless data handling and integration

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Tutorial - Table of Content