{"id":326,"date":"2025-08-27T19:54:33","date_gmt":"2025-08-27T19:54:33","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=326"},"modified":"2025-08-27T19:54:36","modified_gmt":"2025-08-27T19:54:36","slug":"how-to-build-a-rest-api-with-laravel-12-sanctum","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/how-to-build-a-rest-api-with-laravel-12-sanctum\/","title":{"rendered":"How to Build a REST API with Laravel 12 & Sanctum"},"content":{"rendered":"\n

How to Build a REST API with Laravel 12 & Sanctum<\/strong><\/h2>\n\n\n\n

Building a REST API in Laravel requires a secure way to authenticate requests. Laravel Sanctum<\/strong> is the recommended package for issuing and managing API tokens. In this guide, you\u2019ll configure Sanctum, protect routes, issue tokens, and build endpoints for authentication and data access. We\u2019ll also build a small test UI to interact with the API.<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – Install and Configure Sanctum<\/strong><\/h2>\n\n\n\n

First, install Sanctum and publish its configuration and migrations.<\/p>\n\n\n

composer require laravel\/sanctum\n\nphp artisan vendor:publish --provider=\"Laravel\\Sanctum\\SanctumServiceProvider\"<\/span>\n\nphp artisan migrate<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
The package creates a personal_access_tokens<\/code> table where issued tokens are stored. Publishing the config file gives you full control over expiration and storage options.<\/p>\n\n\n\n
<\/div>\n\n\n\n
2 – Enable Sanctum Middleware<\/strong><\/h2>\n\n\n\n
Add Sanctum\u2019s middleware to the api<\/code> guard so that token authentication works automatically on protected routes.<\/p>\n\n\n
\/\/ app\/Http\/Kernel.php (snippet)<\/span>\nprotected<\/span> $middlewareGroups = [\n    'api'<\/span> => [\n        \\Laravel\\Sanctum\\Http\\Middleware\\EnsureFrontendRequestsAreStateful::class,\n        'throttle:api'<\/span>,\n        \\Illuminate\\Routing\\Middleware\\SubstituteBindings::class,\n    ],\n];<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Including EnsureFrontendRequestsAreStateful<\/code> allows SPAs and mobile apps to use cookies or tokens seamlessly. Throttling protects APIs against brute force attacks.<\/p>\n\n\n\n
<\/div>\n\n\n\n
3 – Updating the User Model<\/strong><\/h2>\n\n\n\n
Add the HasApiTokens<\/code> trait to the User model so it can issue and manage tokens.<\/p>\n\n\n
\/\/ app\/Models\/User.php<\/span>\nnamespace<\/span> App<\/span>\\Models<\/span>;\n\nuse<\/span> Illuminate<\/span>\\Foundation<\/span>\\Auth<\/span>\\User<\/span> as<\/span> Authenticatable<\/span>;\nuse<\/span> Laravel<\/span>\\Sanctum<\/span>\\HasApiTokens<\/span>;\n\nclass<\/span> User<\/span> extends<\/span> Authenticatable<\/span>\n<\/span>{\n    use<\/span> HasApiTokens<\/span>;\n\n    protected<\/span> $fillable = ['name'<\/span>,'email'<\/span>,'password'<\/span>];\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Now you can call $user->createToken()<\/code> to generate tokens tied to the user. Each token can have its own abilities (scopes).<\/p>\n\n\n\n
<\/div>\n\n\n\n
4 – Authentication Routes and Controllers<\/strong><\/h2>\n\n\n\n
Create endpoints for registering, logging in, and logging out. Tokens are returned after login and should be used in the Authorization<\/code> header.<\/p>\n\n\n
\/\/ routes\/api.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\AuthApiController<\/span>;\n\nRoute::post('\/register'<\/span>, [AuthApiController::class, 'register'<\/span>]);\nRoute::post('\/login'<\/span>, [AuthApiController::class, 'login'<\/span>]);\nRoute::middleware('auth:sanctum'<\/span>)->post('\/logout'<\/span>, [AuthApiController::class, 'logout'<\/span>]);<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
These routes provide a minimal authentication API. The auth:sanctum<\/code> middleware ensures only valid token holders can call logout.<\/p>\n\n\n
\/\/ app\/Http\/Controllers\/AuthApiController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>;\n\nuse<\/span> App<\/span>\\Models<\/span>\\User<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Hash<\/span>;\n\nclass<\/span> AuthApiController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> register<\/span>(Request $request)<\/span>\n    <\/span>{\n        $data = $request->validate([\n            'name'<\/span> => 'required|string|max:255'<\/span>,\n            'email'<\/span> => 'required|email|unique:users'<\/span>,\n            'password'<\/span> => 'required|string|min:6'<\/span>,\n        ]);\n\n        $user = User::create([\n            'name'<\/span> => $data['name'<\/span>],\n            'email'<\/span> => $data['email'<\/span>],\n            'password'<\/span> => Hash::make($data['password'<\/span>]),\n        ]);\n\n        return<\/span> response()->json(['user'<\/span> => $user], 201<\/span>);\n    }\n\n    public<\/span> function<\/span> login<\/span>(Request $request)<\/span>\n    <\/span>{\n        $request->validate([\n            'email'<\/span> => 'required|email'<\/span>,\n            'password'<\/span> => 'required'<\/span>,\n        ]);\n\n        $user = User::where('email'<\/span>, $request->email)->first();\n\n        if<\/span> (!$user || !Hash::check($request->password, $user->password)) {\n            return<\/span> response()->json(['message'<\/span> => 'Invalid credentials'<\/span>], 401<\/span>);\n        }\n\n        $token = $user->createToken('api-token'<\/span>, ['*'<\/span>])->plainTextToken;\n\n        return<\/span> response()->json(['token'<\/span> => $token]);\n    }\n\n    public<\/span> function<\/span> logout<\/span>(Request $request)<\/span>\n    <\/span>{\n        $request->user()->currentAccessToken()->delete();\n        return<\/span> response()->json(['message'<\/span> => 'Logged out'<\/span>]);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
The login<\/code> method issues a token on success. The token must be sent as Authorization: Bearer <token><\/code> in subsequent requests. logout()<\/code> revokes the current token by deleting it.<\/p>\n\n\n\n
<\/div>\n\n\n\n
5 – Protecting API Routes<\/strong><\/h2>\n\n\n\n
To secure your API endpoints, wrap them with auth:sanctum<\/code>. Example: protecting a posts resource.<\/p>\n\n\n
\/\/ routes\/api.php (snippet)<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\PostApiController<\/span>;\n\nRoute::middleware('auth:sanctum'<\/span>)->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/posts'<\/span>, [PostApiController::class, 'index'<\/span>]);\n    Route::post('\/posts'<\/span>, [PostApiController::class, 'store'<\/span>]);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Now only authenticated users with valid tokens can fetch or create posts. If the token is missing or invalid, Laravel returns a 401 Unauthorized response automatically.<\/p>\n\n\n\n
<\/div>\n\n\n\n
6 – Example Resource Controller<\/strong><\/h2>\n\n\n\n
Here\u2019s a simple API controller for posts. It validates input and ties posts to the authenticated user.<\/p>\n\n\n
\/\/ app\/Http\/Controllers\/PostApiController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>;\n\nuse<\/span> App<\/span>\\Models<\/span>\\Post<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\n\nclass<\/span> PostApiController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> index<\/span>()<\/span>\n    <\/span>{\n        return<\/span> Post::with('user:id,name'<\/span>)->latest()->paginate(10<\/span>);\n    }\n\n    public<\/span> function<\/span> store<\/span>(Request $request)<\/span>\n    <\/span>{\n        $data = $request->validate([\n            'title'<\/span> => 'required|string|max:255'<\/span>,\n            'body'<\/span>  => 'required|string'<\/span>,\n        ]);\n\n        $post = $request->user()->posts()->create($data);\n\n        return<\/span> response()->json($post, 201<\/span>);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
The index<\/code> endpoint paginates posts and includes the author\u2019s name. The store<\/code> method creates a post linked to the authenticated user, ensuring accountability and traceability.<\/p>\n\n\n\n
<\/div>\n\n\n\n
7 – Quick UI: API Tester Blade<\/strong><\/h2>\n\n\n\n
For convenience, here\u2019s a small Blade UI to test your API directly in the browser. It uses Axios to make requests with the Bearer token.<\/p>\n\n\n
<!-- resources\/views\/api\/test.blade.php -->\n@extends('layouts.app'<\/span>)\n\n@section('content'<\/span>)\n<div class<\/span>=\"container<\/span>\">\n  <h1<\/span>>API<\/span> Tester<\/span><\/h1<\/span>>\n\n  <div<\/span> class<\/span>=\"mb<\/span>-3\">\n    <label<\/span> class<\/span>=\"form<\/span>-label<\/span>\">Bearer<\/span> Token<\/span><\/label<\/span>>\n    <input<\/span> id<\/span>=\"token<\/span>\" type<\/span>=\"text<\/span>\" class<\/span>=\"form<\/span>-control<\/span>\" placeholder<\/span>=\"Paste<\/span> your<\/span> token<\/span> here<\/span>\">\n  <\/div<\/span>>\n\n  <button<\/span> class<\/span>=\"btn<\/span> btn<\/span>-theme<\/span> mb<\/span>-3\" onclick<\/span>=\"getPosts<\/span>()\">Fetch<\/span> Posts<\/span><\/button<\/span>>\n  <pre<\/span> id<\/span>=\"result<\/span>\"><\/pre<\/span>>\n<\/div<\/span>>\n\n<script<\/span> src<\/span>=\"https<\/span>:\/\/cdn<\/span>.jsdelivr<\/span>.net<\/span>\/npm<\/span>\/axios<\/span>\/dist<\/span>\/axios<\/span>.min<\/span>.js<\/span>\"><\/script<\/span>>\n<script<\/span>>\nfunction<\/span> getPosts<\/span>() <\/span>{\n  const<\/span> token = document.getElementById('token'<\/span>).value;\n  axios.get('\/api\/posts'<\/span>, {\n    headers: { Authorization: `Bearer ${token}` }\n  }).then(res => {\n    document.getElementById('result'<\/span>).textContent =\n      JSON.stringify(res.data, null<\/span>, 2<\/span>);\n  }).catch<\/span>(err => {\n    document.getElementById('result'<\/span>).textContent =\n      err.response ? err.response.status+' '<\/span>+err.response.statusText : err;\n  });\n}\n<\/script>\n@endsection<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
This UI lets you test API endpoints quickly\u2014just paste a token and click \u201cFetch Posts.\u201d Useful for developers or QA before using Postman or mobile clients.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
With Sanctum, building a secure REST API in Laravel is straightforward. You installed and configured Sanctum, updated the User model, built authentication routes, protected endpoints, and added a small UI tester. This approach is lightweight, token-based, and ideal for SPAs and mobile apps. You now have the foundation of a production-ready API.<\/p>\n\n\n\n
<\/div>\n\n\n\n
What\u2019s Next<\/h2>\n\n\n\n