Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Farirai's avatar

Facing problems with my laravel api on using sanctum tokens

I created two apis the first one generates an auth tokens 127.0.0.1/setup and one i got the token i went to post on authorization i put the token i got from /setup route then i send a post request to route 127.0.0.1:8000/api/V1/users but now im moving to production and want an easier way of authorising maybe adding the auth token at the end of the second route my web.php


use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Route;

/*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider and all of them will
| be assigned to the "web" middleware group. Make something great!
|
*/

Route::get('/', function () {
    return view('welcome');
});

Route::get('/setup', function () {
    if (Auth::check()) {
        $user = Auth::user();
    } else {
        $user = new User();
        $user->title = 'Mr';
        $user->first_name = 'John';
        $user->last_name = 'Makai';
        $user->address = '[email protected]';
        $user->password = Hash::make('password2');
        $user->id_number = '127758595950';
        $user->number = '263781840678';

        $user->save();

        Auth::login($user);
    }

    $adminToken = $user->createToken('admin-token', [
        'create',
        'update',
        'delete',
    ]);
    $updateToken = $user->createToken('update-token', ['create', 'update']);
    $createToken = $user->createToken('create-token', ['create']);

    return [
        'admin' => $adminToken->plainTextToken,
        'create' => $createToken->plainTextToken,
        'update' => $updateToken->plainTextToken,
    ];
});
``` my api.php ```<?php

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\Api\V1\UserController;

/*
|--------------------------------------------------------------------------
| API Routes
|--------------------------------------------------------------------------
|
| Here is where you can register API routes for your application. These
| routes are loaded by the RouteServiceProvider and all of them will
| be assigned to the "api" middleware group. Make something great!
|
*/

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

Route::group(
    [
        'prefix' => 'V1',
        'namespace' => 'App\Http\Controllers\Api\V1',
        'middleware' => 'auth:sanctum',
    ],
    function () {
        Route::apiResource('users', UserController::class);
    }
);

my api.php ```<?php

use Illuminate\Http\Request; use Illuminate\Support\Facades\Route; use App\Http\Controllers\Api\V1\UserController;

/* |-------------------------------------------------------------------------- | API Routes |-------------------------------------------------------------------------- | | Here is where you can register API routes for your application. These | routes are loaded by the RouteServiceProvider and all of them will | be assigned to the "api" middleware group. Make something great! | */

Route::middleware('auth:sanctum')->get('/user', function (Request $request) { return $request->user(); });

Route::group( [ 'prefix' => 'V1', 'namespace' => 'App\Http\Controllers\Api\V1', 'middleware' => 'auth:sanctum', ], function () { Route::apiResource('users', UserController::class); } );

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

To simplify the authorization process, you can pass the token as a query parameter in the URL. To do this, you need to modify the api.php file as follows:

Route::group(
    [
        'prefix' => 'V1',
        'namespace' => 'App\Http\Controllers\Api\V1',
        'middleware' => 'auth:sanctum',
    ],
    function () {
        Route::apiResource('users', UserController::class);
    }
)->middleware(function ($request, $next) {
    if ($request->has('token')) {
        $token = $request->input('token');
        $user = \App\Models\User::where('api_token', $token)->first();
        if ($user) {
            auth()->login($user);
        }
    }
    return $next($request);
});

This code adds a middleware to the Route::group that checks if the request has a token query parameter. If it does, it retrieves the user with the corresponding api_token and logs them in using auth()->login($user). This way, you can pass the token as a query parameter in the URL like this:

http://127.0.0.1:8000/api/V1/users?token=your-token-here

Note that this approach is less secure than using the Authorization header, as the token will be visible in the URL. It is recommended to use the Authorization header in production environments.

Please or to participate in this conversation.