Laravel Authentication: Sanctum vs Passport

Laravel offers two main authentication packages: Sanctum and Passport. Both solve different problems — Sanctum is lightweight and best for SPAs and mobile apps, while Passport is a full OAuth2 server solution. Let’s break it down with examples and comparisons.

1. Quick Comparison

Feature	Sanctum	Passport
Use case	First-party SPA & simple API tokens	Full OAuth2 server with scopes, grants
Complexity	Simple, easy to setup	Advanced, more config needed
Token type	Personal access tokens, SPA cookies	Access + Refresh tokens
Best for	Single backend apps, mobile APIs	Third-party integrations, OAuth2

2. Sanctum Setup Example

Sanctum is great for issuing API tokens and handling SPA cookie-based auth. Here’s how to set it up:

composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate

Add HasApiTokens to your User model:

// app/Models/User.php
use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable {
    use HasApiTokens, Notifiable;
}

Issue a Token

$token = $user->createToken('mobile-token')->plainTextToken;
return ['token' => $token];

Protect Routes

// routes/api.php
Route::middleware('auth:sanctum')->get('/profile', function (Request $request) {
    return $request->user();
});

✅ Sanctum is lightweight, fast to implement, and perfect for single-page apps and mobile APIs. ❌ No built-in refresh tokens or complex OAuth2 features.

3. Passport Setup Example

Passport is for advanced use cases — when you need OAuth2 features like third-party clients, scopes, and refresh tokens.

composer require laravel/passport
php artisan migrate
php artisan passport:install

Register Passport routes in AuthServiceProvider:

// App\Providers\AuthServiceProvider.php
use Laravel\Passport\Passport;

public function boot() {
    $this->registerPolicies();
    Passport::routes();
}

Requesting a Token (Password Grant)

POST /oauth/token
{
  "grant_type": "password",
  "client_id": "CLIENT_ID",
  "client_secret": "CLIENT_SECRET",
  "username": "user@example.com",
  "password": "secret",
  "scope": ""
}

Protect Routes

// routes/api.php
Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
});

✅ Passport supports OAuth2, scopes, refresh tokens, and third-party apps. ❌ Setup is heavier and often unnecessary if you just need first-party authentication.

4. Quick Recap

• Sanctum: Simple tokens + SPA cookies, best for your own apps.
• Passport: Full OAuth2 server, best for third-party access and advanced auth flows.

© 2025 Laravel Guide Blog