Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Modi.Bade's avatar

Laravel-echo authorizer not working

window.Echo = new Echo({
broadcaster: 'socket.io',
host: 'http://ip:6001',
transports: ['websocket'],
authorizer: (channel, options) => {
    return {
        authorize: (socketId, callback) => {
            axios.post('/custom/auth', {
                socket_id: socketId,
                channel_name: channel.name
            })
            .then(response => {
                callback(false, response.data);
            })
            .catch(error => {
                callback(true, error);
            });
        }
    };
},
});

i need custom authorization request but authorizer does not make request

any solutions ?

0 likes
2 replies
christian-qode's avatar

Just spent hours on this issue, but the 'authorizer' callback only exists in the Pusher libary, it doesn't exists in the Socket.io library. Very annoying..

Best way to make this work - I guess - with Socket.io and Sanctum is to sent a Bearer Authorization token in the request. But you should find someway to don't create a new personal access token on every request.

              auth: {
                 headers: {
                   Authorization: 'Bearer [token]' ,
                 },
               },
1 like
christian-qode's avatar

I ended up with the following code to create Sanctum access tokens for the user to authorize the Echo server.

          // Get Broadcast token
          if($request->session()->has('broadcastToken')){
            $broadcastToken = $request->session()->get('broadcastToken');
          }else{
            // Delete old tokens and create new one
            Auth::user()->tokens()->get()->filter(fn($token) => in_array('broadcast', $token->abilities))->map(function($token){
              $token->delete();
            });
            $broadcastToken = Auth::user()->createToken('Broadcast ' . Auth::user()->id . '-' . time(), ['broadcast'])->plainTextToken;
            $request->session()->put('broadcastToken', $broadcastToken);
          }

Because my application uses Inertia, this code is added to the HandleInertiaRequests middleware to make the Broadcast token available globally.

In my BroadcastServiceProvider I've specified the abilities:

        Broadcast::routes(['middleware' => ['auth:sanctum', 'abilities:broadcast']]);

In this case, the access token can only be used for broadcasting.

Please or to participate in this conversation.