Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

nickbasile's avatar

Does Sanctum support user & client tokens?

Right now, we’re building a Laravel API for an ecommerce website. For their website, we will need to have an endpoint that lists all of the inventory and other endpoints that are for customers, like list all transactions.

For the customer endpoints, we’ll have an authenticated user and we’ll just spin up a token for them when they log in.

But, for the inventory endpoint, we won’t always have an authenticated user because guests can see the items for sale. So, we’ll need to access it directly from the client, but we want to also protect it to ensure the data is not publicly available.

Is there a way for Sanctum to support client-based tokens as well as user-based tokens at the same time? Or, is there a better way to go about this?

Thanks for the help!

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Yes, Sanctum supports both user-based tokens and client-based tokens at the same time.

To achieve this, you can use Sanctum's ability to issue multiple token types. By default, Sanctum issues tokens for authenticated users, but you can also configure it to issue tokens for clients.

Here's how you can set it up:

  1. Install Sanctum if you haven't already:
composer require laravel/sanctum
  1. Publish the Sanctum configuration file:
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

  1. In the config/sanctum.php configuration file, make sure the stateful option is set to true. This allows Sanctum to issue tokens for both authenticated users and clients.

  2. In your AuthServiceProvider, add the Sanctum::usePersonalAccessTokenModel() method call to the boot method. This ensures that Sanctum uses the correct token model for both user and client tokens:

use Laravel\Sanctum\Sanctum;

public function boot()
{
    $this->registerPolicies();

    Sanctum::usePersonalAccessTokenModel(ClientToken::class);
}
  1. Create a new model for client tokens. This model should extend the Laravel\Sanctum\PersonalAccessToken class:
use Laravel\Sanctum\PersonalAccessToken;

class ClientToken extends PersonalAccessToken
{
    // Add any additional logic or customization you need for client tokens
}
  1. In your authentication logic, when a user logs in, you can generate a user token using Sanctum's createToken method:
use Illuminate\Support\Facades\Auth;

$user = Auth::user();
$token = $user->createToken('user-token')->plainTextToken;
  1. For client-based tokens, you can generate a token using the createToken method on the ClientToken model:
use App\Models\ClientToken;

$clientToken = ClientToken::create([
    'tokenable_id' => null, // Set to null for client tokens
    'name' => 'client-token',
    'token' => 'your-client-token', // Generate a unique token for each client
]);

Now, you can use the generated tokens for authentication. User tokens can be used for authenticated user endpoints, while client tokens can be used for the inventory endpoint that is accessible to guests.

Remember to handle token authentication in your API routes using Sanctum's middleware.

I hope this helps! Let me know if you have any further questions.

1 like

Please or to participate in this conversation.