Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

siteclub's avatar

Authenticating an Inertia session in a mobile webview using a token from Sanctum

Hey folks. We are launching a mobile app and due to tight development timelines we want to ship a partially complete app. The authentication, homepage, and some features will be native, and the rest will be our webapp hosting in an embedded webview (settings pages, other interactive pages). The mobile app is being developed with Flutter. We use Inertia.js for the webapp frontend.

I am trying to find a way to authenticate these webviews using the token I receive from the native login page. I can attach a "Authentication: Bearer {$token}" header which works to load individual pages, but once a user does something on the page they are redirected to a login page (for example forms that make Inerta post requests).

I've tried adding the middleware from the web group to my api group in hopes that Sanctum will authenticate the user by their token, then the middleware will attach the session cookie. But that doesn't work.

\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,

I've tried POSTing to the /sanctum/csrf-cookie route with the authentication header attached, it doesn't save the cookies either. I've tried creating a route protected by "auth:sanctum" that grabs the user from Auth::user() then tries to log them in with Auth::login($user) but it doesn't do anything. I've tried adding the AuthenticateSession middlware to api group but no luck

Any suggestions? I've been pulling my hair out on this one! Thanks!

0 likes
3 replies
tisuchi's avatar

@siteclub One possible solution to authenticating an Inertia session in a mobile webview using a token from Sanctum is to use the createFromToken method provided by the Laravel\Sanctum\HasApiTokens trait. This method allows you to create a new user instance from a given token. You can then use this instance to log the user in by calling the login method on the Auth facade.

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens;

    // ...
}

Then in your controller or route handling the login you can use the following

$user = User::createFromToken($token);

Auth::login($user);

This will authenticate the user and set the necessary session data for the Inertia.js frontend to function properly.

Also make sure that your api group middleware is having the Sanctum middleware,

\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,

Make sure to check if your token is valid and not expired by calling tokenCan method of the User model with the 'auth' scope

if ($user->tokenCan('auth')) {
    Auth::login($user);
}

Additionally, you should also ensure that the EncryptCookies, AddQueuedCookiesToResponse, and StartSession middleware are added to your API middleware group in the Kernel class, to ensure that cookies are being set and encrypted properly.

siteclub's avatar

@tisuchi Thanks for the response

$user = User::createFromToken($token);
Auth::login($user);

Gives me the error: Call to undefined method: App\Models\User::createFromToken()

I looked through HasApiResponses.php and can't find that method or anything similar. Any suggestions?

1 like
andreich1980's avatar

@siteclub I know it's old, but have you solved your issue?

I think you don't need that createFromToken stuff, you just apply auth:sanctum middleware and it should authenticate the user based on the provided token.

Please or to participate in this conversation.