Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

HMDagher's avatar

Issuing sanctum tokens for 2 models, Please HELP!!

hello all,

I'm building an admin panel and APIs for a Mobile App.

For the admin panel, I used the default User model to Auth Web ( users who will manage the admin panel, with roles and permissions) and gates to authorize.

For the APIs, I wanna use 2 models (MobileUser, StoreUser)

My questions are as follow:

What is the proper way to authenticate/issue tokens for Both models using sanctum?

-Is it just like add (in both models):

use Laravel\Sanctum\HasApiTokens; 

use HasApiTokens; //as a treat

-Or I should add more like (in both models):

use Iluminate\Contract\Auth\Authinticatable as AuthinticatableContract;
use Iluminate\Auth\Authinticatable;
use Laravel\Sanctum\HasApiTokens;

Class MobileUser extends Model implements AuthinticatableContract
//Class StoreUser extends Model implements AuthinticatableContract
{
		use HasApiTokens, Authinticatable;

-Should I add MobileUser and StoreUser as providers in config/auth.php?

'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model'  => App\Models\User::class,
        ],
        'mobileusers' => [
            'driver' => 'eloquent',
            'model'  => App\Models\MobileUser::class,
        ],
        'storeusers' => [
            'driver' => 'eloquent',
            'model'  => App\Models\StoreUser::class,
        ],
    ],

-and guards in config/auth.php as follow

'guards' => [
        'web' => [
            'driver'   => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver'   => 'token',
            'provider' => 'mobileusers','storeusers',
            'hash'     => true,
        ],
    ],

**this is the Api/AuthController for MobileUser **

<?php
namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use App\Models\MobileUser;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;

class AuthController extends Controller
{
    public function register(Request $request)
    {
        $request->validate([
            'username' => 'required|min:3',
            'email' => 'required|email',
            'password' => 'required|min:6',
            'first_name' => 'required',
            'last_name' => 'required',
            'phone_number' => 'required',
        ]);

        $user = MobileUser::create([
            'username' => $request->username,
            'email' => $request->email,
            'password' => bcrypt($request->password),
            'first_name' => $request->first_name,
            'last_name' => $request->last_name,
            'phone_number' => $request->phone_number,
        ]);

        return response()->json($user);
    }

    public function login(Request $request)
    {
        $request->validate([
            'email' => 'email|required',
            'password' => 'required'
        ]);

        $user = MobileUser::where('email', $request->email)->first();

        if (! $user || ! Hash::check($request->password, $user->password)) {
            throw ValidationException::withMessages([
                'email' => ['The provided credentials are incorrect.'],
            ]);
        }

        $authToken = $user->createToken($request->email)->plainTextToken;

        return response()->json([
            'access_token' => $authToken,
        ]);
    }
}

and the Sanctum configurations was a bit confused https://laravel.com/docs/8.x/sanctum#configuration

Thanks in advance

0 likes
4 replies
kossa's avatar
kossa
5 years ago
Best Answer
Level 20

I already had the same issue, for my case always I "Keep It Simple".

Just use User model, and add a field named role to distingue the role of user.

I had a big solution for with complicated role/permission for that I used https://github.com/spatie/laravel-permission

At the end you'll not worry about sanctum, all your users are in the same table πŸ˜‰

martinbean's avatar

For the APIs, I wanna use 2 models (MobileUser, StoreUser)

@hmdagher Why? A user is a user. Use roles and then authorisation to determine what a user can do based on their role(s).

1 like
HMDagher's avatar

my plan was as follow:

-User model for employees who will maintain admin panel (web)

-MobileUser model for customers who will register and login through the app

-StoreUser model for stores who will register and login through the app

if I used the same User model with different roles (management_user, mobile_user,store_user), maybe this will let the (mobile_user,store_user) log in to the admin panel?

it would be a mess if I put all the data in 1 table.

or should I make relations between the User model and other models like MobileUserData and StoreUserData based on the role from the User model ??

Thanks for your support @kossa @martinbean <3

kossa's avatar

if I used the same User model with different roles (management_user, mobile_user,store_user), maybe this will let the (mobile_user,store_user) log in to the admin panel?

=> just use Middleware

it would be a mess if I put all the data in 1 table.

=> They are user on one table or two table no problem, you'll resolve a duplicated email(if you use 2 tables)

or should I make relations between the User model and other models like MobileUserData and StoreUserData based on the role from the User model ??

=> For extra fields I prefer to create a new table let's name user_meta(user_id:foreignId, key:string, data:json) and you store all custom data(fields) for user not need to make migration each time you need a new field

Please or to participate in this conversation.