Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

dealense's avatar

Laravel Sanctum

how to see plain text of already created API Token. this is what I do to make user able to see it again. is that good?

//create API Token

$token = $user->createToken('token-name');

// Get API Token Key

$token->plainTextToken;

//Generate Key to Crypt

php artisan key:generate

//write it in User Table

$user->pkey = Crypt::encryptString($token);

//Show user in case to be wanted

Crypt::decryptString($user->pkey);

0 likes
3 replies
thewebartisan7's avatar

You don't need to crypt it. When you createToken() and get instance of $token, you have only that one way to get $token->plainTextToken; , then token is already saved in database hashed, and can't be retrived anymore in plain, it's like storing password once.

You should return plainTextToken to client that asked for it, which will store on client side for further access on API.

Read more here https://laravel.com/docs/7.x/sanctum#api-token-authentication

dealense's avatar

@thewebartisan7 with $user->tokens()->first()->token you can get Hashed Token.

Can you tell me how to get decoded one from the database?

1 like
thewebartisan7's avatar

You can't decode hashed, is not "encrypted" but hashed. Hashed is only one direction, no coming back, like password.

When making requests using API tokens, the token should be included in the Authorization header as a Bearer token.

You then just protect your routes using Route::middleware('auth:sanctum')

The rest is handled by Sanctum.

Did I explain well my self?

See here for additional info https://pediaa.com/what-is-the-difference-between-hashing-and-encryption/

2 likes

Please or to participate in this conversation.