Get current personal access token in Laravel sanctum from request

Stefan Izdrail

Founder & Senior Architect · 2026-06-29

Laravel Company
Title: Retrieving Current Personal Access Token in Laravel Sanctum from Request Body:

Laravel Sanctum v3 is a modern authentication system for your APIs that makes authenticating requests easy. In this article, we will discuss how to fetch the current personal access token used for authentication when working with Laravel Sanctum in an API controller. To achieve this goal, you will need to understand the relationship between JWT and personal access tokens in Laravel Sanctum.

Firstly, let's analyze what happens when you attach auth:sanctum middleware to your API controller. This middleware automatically attaches a personal access token using Laravel Sanctum if an API key is present in the request header. Once the token has been generated, it is stored in the user's session and can be accessed by calling Auth::user()->token. However, this only returns the token but does not give us the entire PersonalAccessToken model.

To retrieve the model itself, you may think using PersonalAccessToken::find(Auth::id()), which gives us the corresponding access token associated with a particular user. However, it still returns null, and that's because of how Laravel Sanctum works. By default, Laravel Sanctum does not store the actual PersonalAccessToken model in the database. It uses a unique identifier (UUID) to identify each token as opposed to storing the full model. This is done for security reasons, making it difficult to impersonate or create fake tokens.

Given this behavior of Laravel Sanctum, we need to approach retrieval differently. Instead of using the PersonalAccessToken::find method, which only returns null in our case, we can use the PersonalAccessToken::where('user_id', Auth::id())->first() instead. This will return the first instance of the PersonalAccessToken model associated with the currently authenticated user.

return response()->json([
    'token' => Auth::user()->token,
    'model' => PersonalAccessToken::where('user_id', Auth::id())->first()
], 200);

Now, you have the current personal access token in both its string form (token) and complete model representation. This approach will provide you with all the needed information about the PersonalAccessToken associated with your user.

Remember that Laravel Sanctum has been designed to offer secure authentication for API-based applications. While it may not be straightforward to retrieve the entire token model, the choice of storing tokens as UUIDs instead of models is intentional and offers better security against impersonation or token manipulation.

Summary:

  • Use Auth::user()->token to get the current personal access token as a string.
  • Alternatively, use PersonalAccessToken::where('user_id', Auth::id())->first() to retrieve the entire PersonalAccessToken model.
  • Laravel Sanctum uses UUIDs for token identifiers, which increases security against impersonation and token manipulation.

Conclusion:

In conclusion, retrieving the current personal access token in Laravel Sanctum from a request is possible using different approaches. However, understanding the security measures taken by Laravel Sanctum and its underlying database storage strategy can help you optimize your code for better performance and security.