Laravel Sanctum login
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
# Mastering Hybrid Authentication: Laravel Sanctum for Web and API Login
As a senior developer working with Laravel, you often encounter scenarios where you need to serve both modern, stateless API access (using tokens) and traditional, stateful web session authentication (using cookies). The confusion arises when implementing Laravel Sanctum, as its capabilities can seem siloed. You need a mechanism that allows a user to log in once and receive credentials usable by both the mobile/backend services and the browser session simultaneously.
This post will walk you through how to architect this hybrid login flow effectively using Laravel Sanctum, ensuring your API security remains robust while enabling seamless web interactions.
## The Sanctum Dichotomy: Tokens vs. Sessions
Laravel Sanctum is powerful because it abstracts two distinct authentication methods:
1. **API Tokens (Stateless):** These are ideal for mobile apps or pure SPA frontends. They are long-lived, sent in the `Authorization: Bearer ` header, and require no server-side session management for every request.
2. **Web Sessions/Cookies (Stateful):** This is traditional web authentication. It relies on Laravelâs built-in session handling, where a cookie is set upon login, maintaining the user state across subsequent requests.
The problem you are facingâwhere API works but web authorization fails after token creationâusually stems from not correctly linking the initial login event to both systems, or attempting to use a pure API token for route protection that expects a session cookie.
## The Hybrid Solution: Bridging Login and Token Generation
The solution lies in using Sanctum to manage *both* types of authentication paths originating from a single login endpoint. You will handle the user verification via standard Laravel sessions/cookies, and then generate the necessary tokens for API use separately.
### Step 1: Standard Web Login (Session Establishment)
When a user logs in via a web form, you establish a traditional session. This ensures that the browser maintains a stateful connection.
```php
// Example Controller Method for Web Login
public function login(Request $request)
{
$credentials = $request->only('email', 'password');
if (Auth::attempt($credentials)) {
$user = Auth::user();
// 1. Establish the session/cookie for web access
$request->session()->put('user_id', $user->id);
// 2. Create an API token for mobile/API use (if applicable)
$token = $user->createToken('api_token', ['server:read']);
return response()->json([
'message' => 'Login successful',
'token' => $token->plainTextToken, // Return the token to the client
'user' => $user
]);
}
return response()->json(['message' => 'Invalid credentials'], 401);
}
```
Notice how in this single operation, we achieve both goals: setting a session (for web) and creating a Sanctum token (for API). This pattern is crucial for building comprehensive applications, aligning with sound architectural principles found within the Laravel ecosystem.
### Step 2: Securing Routes Based on Context
Once logged in, you must differentiate how your routes are protected:
* **Web Routes:** Protect these using standard middleware like `auth` or Sanctum's web-specific guard if you are setting up SPA authentication.
* **API Routes (Token-based):** Protect these using the `auth:sanctum` middleware, which checks for a valid token in the request header.
By separating the logicâusing sessions for session-heavy views and tokens for stateless APIsâyou ensure that neither system interferes with the other. This modular approach is fundamental to scalable application design on platforms like Laravel.
## Conclusion
The challenge of integrating web sessions and API tokens is not a failure of Sanctum, but rather an opportunity to use its flexibility correctly. By treating the login process as a multi-faceted transactionâestablishing a session *and* generating a tokenâyou successfully satisfy both your front-end needs. Remember that understanding the context (stateless vs. stateful) for each request is the key to mastering authentication in any modern Laravel application, ensuring robust security and excellent user experience across all platforms.