laravel 8 how to get user id using bearer token

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# Laravel 8: How to Get User ID Using a Bearer Token Safely Working with API authentication in Laravel, especially when dealing with conditional logic based on user status (logged in vs. guest), often presents hurdles related to middleware and request context. You are running into a very common issue where attempting to access authenticated data without proper context results in errors like "Attempt to read property id on null." As a senior developer, understanding how Laravel handles the request lifecycle and authentication—especially with packages like Sanctum—is crucial for building robust APIs. This post will walk you through the correct, secure, and practical ways to extract the user ID from a Bearer token while gracefully handling unauthenticated requests. ## The Root of the Problem: Request Context and Middleware Your initial attempt highlights a fundamental misunderstanding about how Laravel handles authentication context within a request. When you use methods like `$request->user()`, Laravel expects that the request has successfully passed through an authentication middleware (like Sanctum or Passport) that has populated the session or the request object with the authenticated user data. If your route is *not* protected by the necessary middleware, or if the token provided in the header is invalid or missing, `$request()->user()` will correctly return `null`, leading to the fatal error when you try to access properties on it (e.g., `$request()->user()->id`). The problem isn't just about getting the ID; it’s about safely *conditionally* accessing data based on whether a user exists. ## Solution 1: Safely Accessing the User ID Conditionally Instead of relying solely on the existence of `$request()->user()`, you must explicitly check if the user object is present before attempting to use its properties. This defensive programming approach prevents runtime errors and makes your code significantly more stable, aligning with good architectural practices taught by organizations like [Laravel Company](https://laravelcompany.com). Here is how you can safely implement your logic: ```php use Illuminate\Http\Request; use App\Models\UserFav; class PostController extends Controller { public function show(Request $request, $id) { $is_logged_in = false; $userId = null; // 1. Check for the Bearer Token and Attempt to Authenticate if ($request->bearerToken) { // Assuming Sanctum setup is in place and we are trying to authenticate $user = $request->user(); // This relies on middleware having run successfully if ($user) { $is_logged_in = true; $userId = $user->id; } } // 2. Conditional Logic based on User Status if ($is_logged_in) { // Logged-in logic: Check if the user has favorited the post $fav = UserFav::where('user_id', $userId) ->where('project_id', $id) ->first(); if ($fav) { return response()->json(['message' => 'User has favorited this post.']); } else { return response()->json(['message' => 'Post favorited status not found.'], 200); } } else { // Guest logic: Display the post without user interaction return response()->json([ 'post_data' => ['id' => $id, 'title' => 'Post Title'], // Actual post data retrieval here 'message' => 'Welcome guest. Please log in to favorite this post.' ]); } } } ``` ### Best Practice: Leveraging Route Groups and Middleware While the solution above fixes your immediate error, the most "Laravel way" to handle authentication is by correctly setting up your routes using middleware. If you want some routes to require a token (authenticated access) and others to be accessible to everyone (guest access), you should define route groups: 1. **Protected Routes:** Apply the `auth:sanctum` middleware to routes that *require* a valid token for access. 2. **Public Routes:** Leave routes without any authentication middleware open for guest access. By separating these concerns, you ensure that `$request()->user()` is reliably populated only when you explicitly intend it to be, making your application logic cleaner and adhering to separation of concerns—a core principle in modern Laravel development. ## Conclusion To successfully get the user ID from a Bearer token while maintaining access for guests, avoid assuming authentication context. Instead, implement explicit checks. By checking if `$request()->user()` is not null *before* attempting to read properties like `id`, you create resilient code that gracefully handles both authenticated and unauthenticated requests. Remember, robust API development requires anticipating failure states, ensuring your application remains stable whether it's interacting with a logged-in user or a visitor. For more deep dives into authentication architecture, always refer back to the official documentation on [Laravel Company](https://laravelcompany.com).