{"id":361,"date":"2025-08-27T20:36:05","date_gmt":"2025-08-27T20:36:05","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=361"},"modified":"2025-08-27T20:36:07","modified_gmt":"2025-08-27T20:36:07","slug":"how-to-add-jwt-authentication-to-laravel-apis","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/how-to-add-jwt-authentication-to-laravel-apis\/","title":{"rendered":"How to Add JWT Authentication to Laravel APIs"},"content":{"rendered":"\n

How to Add JWT Authentication to Laravel APIs<\/strong><\/h2>\n\n\n\n

JWT (JSON Web Tokens)<\/strong> is a stateless auth mechanism ideal for APIs. Clients authenticate once, receive a signed token, and send it in the Authorization: Bearer <token><\/code> header. In this guide you\u2019ll install a JWT library, issue\/verify tokens, protect routes, refresh\/blacklist tokens, and build a tiny UI to test everything.<\/p>\n\n\n\n

<\/div>\n\n\n\n\n

1 – Install & Configure the JWT Package<\/strong><\/h2>\n\n\n\n

We\u2019ll use the popular tymon\/jwt-auth<\/code> package which provides guards, middleware, and helpers for issuing\/validating JWTs.<\/p>\n\n\n

composer require tymon\/jwt-auth\n\nphp artisan vendor:publish --provider=\"Tymon\\JWTAuth\\Providers\\LaravelServiceProvider\"<\/span>\n\nphp artisan jwt:secret<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
Publishing copies config\/jwt.php<\/code> into your app. Running jwt:secret<\/code> sets JWT_SECRET<\/code> in .env<\/code> and generates a signing key. Keep it private; changing it invalidates all existing tokens.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
2 – Switch API Guard to JWT<\/strong><\/h2>\n\n\n\n
Tell Laravel to use the JWT guard for API routes so auth:api<\/code> resolves the bearer token into the authenticated user.<\/p>\n\n\n
\/\/ config\/auth.php (snippets)<\/span>\n'guards'<\/span> => [\n    'web'<\/span> => [\n        'driver'<\/span> => 'session'<\/span>,\n        'provider'<\/span> => 'users'<\/span>,\n    ],\n    'api'<\/span> => [\n        'driver'<\/span> => 'jwt'<\/span>,    \/\/ <-- use the JWT driver<\/span>\n        'provider'<\/span> => 'users'<\/span>,\n    ],\n],\n\n'providers'<\/span> => [\n    'users'<\/span> => [\n        'driver'<\/span> => 'eloquent'<\/span>,\n        'model'<\/span>  => App\\Models\\User::class,\n    ],\n],<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
The jwt<\/code> driver hooks into request lifecycle to validate and decode tokens automatically, making auth('api')<\/code> and $request->user()<\/code> work as usual for protected endpoints.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
3 – Auth Controller: Login, Me, Logout, Refresh<\/strong><\/h2>\n\n\n\n
Create a dedicated controller for token issuance and lifecycle operations. We\u2019ll validate credentials, return a signed JWT, expose a me<\/code> endpoint, invalidate tokens on logout, and refresh tokens before expiry.<\/p>\n\n\n
\/\/ app\/Http\/Controllers\/JwtAuthController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>;\n\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Auth<\/span>;\n\nclass<\/span> JwtAuthController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> login<\/span>(Request $request)<\/span>\n    <\/span>{\n        $credentials = $request->validate([\n            'email'<\/span> => ['required'<\/span>,'email'<\/span>],\n            'password'<\/span> => ['required'<\/span>]\n        ]);\n\n        if<\/span> (! $token = Auth::guard('api'<\/span>)->attempt($credentials)) {\n            return<\/span> response()->json(['message'<\/span> => 'Invalid credentials'<\/span>], 401<\/span>);\n        }\n\n        return<\/span> $this<\/span>->respondWithToken($token);\n    }\n\n    public<\/span> function<\/span> me<\/span>()<\/span>\n    <\/span>{\n        return<\/span> response()->json(Auth::guard('api'<\/span>)->user());\n    }\n\n    public<\/span> function<\/span> logout<\/span>()<\/span>\n    <\/span>{\n        Auth::guard('api'<\/span>)->logout(); \/\/ adds token to blacklist if enabled<\/span>\n        return<\/span> response()->json(['message'<\/span> => 'Logged out'<\/span>]);\n    }\n\n    public<\/span> function<\/span> refresh<\/span>()<\/span>\n    <\/span>{\n        return<\/span> $this<\/span>->respondWithToken(Auth::guard('api'<\/span>)->refresh());\n    }\n\n    protected<\/span> function<\/span> respondWithToken<\/span>(string $token)<\/span>\n    <\/span>{\n        return<\/span> response()->json([\n            'access_token'<\/span> => $token,\n            'token_type'<\/span>   => 'bearer'<\/span>,\n            'expires_in'<\/span>   => Auth::guard('api'<\/span>)->factory()->getTTL() * 60<\/span>\n        ]);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
attempt()<\/code> verifies credentials and returns a JWT on success. logout()<\/code> invalidates the current token (blacklists it if configured). refresh()<\/code> issues a new token using a still-valid one, extending the session without re-entering credentials.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
4 – Routes & Middleware<\/strong><\/h2>\n\n\n\n
Expose auth endpoints and protect your API routes with auth:api<\/code>. You can also add throttling to slow down brute-force attempts.<\/p>\n\n\n
\/\/ routes\/api.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\JwtAuthController<\/span>;\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\PostApiController<\/span>;\n\nRoute::post('\/auth\/login'<\/span>,    [JwtAuthController::class, 'login'<\/span>])->middleware('throttle:20,1'<\/span>);\nRoute::post('\/auth\/refresh'<\/span>,  [JwtAuthController::class, 'refresh'<\/span>]);\nRoute::post('\/auth\/logout'<\/span>,   [JwtAuthController::class, 'logout'<\/span>])->middleware('auth:api'<\/span>);\nRoute::get('\/auth\/me'<\/span>,        [JwtAuthController::class, 'me'<\/span>])->middleware('auth:api'<\/span>);\n\n\/\/ Example protected resource<\/span>\nRoute::middleware('auth:api'<\/span>)->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/posts'<\/span>,  [PostApiController::class, 'index'<\/span>]);\n    Route::post('\/posts'<\/span>, [PostApiController::class, 'store'<\/span>]);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Only authenticated requests with a valid bearer token can reach the protected group. The login route is throttled to mitigate password spraying; adjust limits for your environment.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
5 – Token TTL, Refresh & Blacklist<\/strong><\/h2>\n\n\n\n
Configure expiry and blacklist behavior to balance security and UX. Short TTL + refresh rotation is a good default.<\/p>\n\n\n
\/\/ config\/jwt.php (snippets)<\/span>\n'ttl'<\/span> => env('JWT_TTL'<\/span>, 60<\/span>),            \/\/ minutes, e.g. 60<\/span>\n'refresh_ttl'<\/span> => env('JWT_REFRESH_TTL'<\/span>, 20160<\/span>), \/\/ minutes (14 days)<\/span>\n'blacklist_enabled'<\/span> => env('JWT_BLACKLIST_ENABLED'<\/span>, true<\/span>),<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
ttl<\/code> controls access token lifetime. refresh_ttl<\/code> controls how long a token can be refreshed. With blacklist enabled, logout()<\/code> immediately invalidates the token even if it hasn\u2019t expired, preventing reuse.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
6 – Optional: Add Custom Claims<\/strong><\/h2>\n\n\n\n
You can embed extra, non-sensitive info in the JWT (e.g., role, plan). Use claims for authorization hints\u2014not for secrets.<\/p>\n\n\n
\/\/ app\/Models\/User.php (snippet)<\/span>\nuse<\/span> Tymon<\/span>\\JWTAuth<\/span>\\Contracts<\/span>\\JWTSubject<\/span>;\n\nclass<\/span> User<\/span> extends<\/span> Authenticatable<\/span> implements<\/span> JWTSubject<\/span>\n<\/span>{\n    \/\/ ...<\/span>\n\n    public<\/span> function<\/span> getJWTIdentifier<\/span>()<\/span>\n    <\/span>{\n        return<\/span> $this<\/span>->getKey();\n    }\n\n    public<\/span> function<\/span> getJWTCustomClaims<\/span>()<\/span>\n    <\/span>{\n        return<\/span> [\n            'role'<\/span> => $this<\/span>->role ?? 'user'<\/span>,\n            'plan'<\/span> => $this<\/span>->plan ?? 'free'<\/span>,\n        ];\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Implementing JWTSubject<\/code> allows the library to serialize the user into the token. Custom claims travel with the token and are available after decode, handy for quick policy checks.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
7 – CORS & Frontend Usage<\/strong><\/h2>\n\n\n\n
SPAs\/mobile apps must send the bearer token on every request. If your frontend runs on a different origin, enable CORS so browsers allow the calls.<\/p>\n\n\n
\/\/ app\/Http\/Kernel.php (snippet)<\/span>\nprotected<\/span> $middleware = [\n    \/\/ ...<\/span>\n    \\Fruitcake\\Cors\\HandleCors::class,\n];<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Use the official CORS middleware (already present in new Laravel apps). Configure allowed origins, methods, and headers in config\/cors.php<\/code>. Always send Authorization: Bearer <token><\/code> from the client.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
8 – UI: Minimal JWT Tester<\/strong><\/h2>\n\n\n\n
This tiny page logs in to get a token, calls a protected endpoint, refreshes the token, and logs out \u2014 all from the browser.<\/p>\n\n\n
<!-- resources\/views\/jwt\/tester.blade.php --><\/span>\n@extends('layouts.app')\n\n@section('content')\n<div<\/span> class<\/span>=\"container\"<\/span>><\/span>\n  <h1<\/span>><\/span>JWT Tester<\/h1<\/span>><\/span>\n\n  <div<\/span> class<\/span>=\"row g-2\"<\/span>><\/span>\n    <div<\/span> class<\/span>=\"col-md-4\"<\/span>><\/span><input<\/span> id<\/span>=\"email\"<\/span> class<\/span>=\"form-control\"<\/span> placeholder<\/span>=\"Email\"<\/span>><\/span><\/div<\/span>><\/span>\n    <div<\/span> class<\/span>=\"col-md-4\"<\/span>><\/span><input<\/span> id<\/span>=\"password\"<\/span> type<\/span>=\"password\"<\/span> class<\/span>=\"form-control\"<\/span> placeholder<\/span>=\"Password\"<\/span>><\/span><\/div<\/span>><\/span>\n  <\/div<\/span>><\/span>\n\n  <div<\/span> class<\/span>=\"mt-3\"<\/span>><\/span>\n    <button<\/span> class<\/span>=\"btn btn-theme\"<\/span> onclick<\/span>=\"login()\"<\/span>><\/span>Login<\/button<\/span>><\/span>\n    <button<\/span> class<\/span>=\"btn btn-secondary ms-2\"<\/span> onclick<\/span>=\"me()\"<\/span>><\/span>Call \/auth\/me<\/button<\/span>><\/span>\n    <button<\/span> class<\/span>=\"btn btn-warning ms-2\"<\/span> onclick<\/span>=\"refresh()\"<\/span>><\/span>Refresh Token<\/button<\/span>><\/span>\n    <button<\/span> class<\/span>=\"btn btn-danger ms-2\"<\/span> onclick<\/span>=\"logout()\"<\/span>><\/span>Logout<\/button<\/span>><\/span>\n  <\/div<\/span>><\/span>\n\n  <pre<\/span> id<\/span>=\"out\"<\/span> class<\/span>=\"mt-3\"<\/span>><\/span><\/pre<\/span>><\/span>\n<\/div<\/span>><\/span>\n\n<script<\/span> src<\/span>=\"https:\/\/cdn.jsdelivr.net\/npm\/axios\/dist\/axios.min.js\"<\/span>><\/span><\/script<\/span>><\/span>\n<script<\/span>><\/span>\nlet<\/span> token = null<\/span>;\n\nfunction<\/span> login<\/span>(<\/span>) <\/span>{\n  axios.post('\/api\/auth\/login'<\/span>, {\n    email<\/span>: document<\/span>.getElementById('email'<\/span>).value,\n    password<\/span>: document<\/span>.getElementById('password'<\/span>).value\n  }).then(r<\/span> =><\/span> {\n    token = r.data.access_token;\n    document<\/span>.getElementById('out'<\/span>).textContent = JSON<\/span>.stringify(r.data, null<\/span>, 2<\/span>);\n  }).catch(e<\/span> =><\/span> out(e));\n}\n\nfunction<\/span> me<\/span>(<\/span>) <\/span>{\n  axios.get('\/api\/auth\/me'<\/span>, { headers<\/span>: { Authorization<\/span>: `Bearer ${token}<\/span>`<\/span> }})\n    .then(r<\/span> =><\/span> document<\/span>.getElementById('out'<\/span>).textContent = JSON<\/span>.stringify(r.data, null<\/span>, 2<\/span>))\n    .catch(e<\/span> =><\/span> out(e));\n}\n\nfunction<\/span> refresh<\/span>(<\/span>) <\/span>{\n  axios.post('\/api\/auth\/refresh'<\/span>, {}, { headers<\/span>: { Authorization<\/span>: `Bearer ${token}<\/span>`<\/span> }})\n    .then(r<\/span> =><\/span> { token = r.data.access_token; document<\/span>.getElementById('out'<\/span>).textContent = JSON<\/span>.stringify(r.data, null<\/span>, 2<\/span>) })\n    .catch(e<\/span> =><\/span> out(e));\n}\n\nfunction<\/span> logout<\/span>(<\/span>) <\/span>{\n  axios.post('\/api\/auth\/logout'<\/span>, {}, { headers<\/span>: { Authorization<\/span>: `Bearer ${token}<\/span>`<\/span> }})\n    .then(r<\/span> =><\/span> document<\/span>.getElementById('out'<\/span>).textContent = JSON<\/span>.stringify(r.data, null<\/span>, 2<\/span>))\n    .catch(e<\/span> =><\/span> out(e));\n}\n\nfunction<\/span> out<\/span>(e<\/span>) <\/span>{\n  document<\/span>.getElementById('out'<\/span>).textContent = e.response ? JSON<\/span>.stringify(e.response.data, null<\/span>, 2<\/span>) : e;\n}\n<\/span><\/script<\/span>><\/span>\n@endsection<\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\n
The page demonstrates the full lifecycle: obtain, use, refresh, and revoke tokens. Perfect for quick end-to-end verification before wiring up your SPA or mobile client.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
You added JWT authentication to a Laravel API using tymon\/jwt-auth<\/code>, switched the guard, built endpoints to login\/refresh\/logout, protected routes, and tested the flow with a simple UI. JWT keeps servers stateless and scales well. Combine it with HTTPS, short TTLs, token rotation, and blacklist on logout to balance security and usability.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
What\u2019s Next<\/h2>\n\n\n\n