Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

vincent15000's avatar

Sanctum and stateful domains

Hello,

The application is with Laravel and VueJS and other services in docker containers.

To authenticate a user, I'm using Sanctum with the SESSION_DRIVER environment variable set with cookie.

To accept some domains, I have to set the SANCTUM_STATEFUL_DOMAINS environment variable with the allowed domains.

And here is my problem : I need to accept all domains.

The application will be in a docker package and everyone who will use it has to be able to connect no matter from which domain name and/or IP address in the organization.

I think that I have to change de SESSION_DRIVER to something else than cookie, furthermore Sanctum needs that the allowed domains are necessarily explicitely mentioned. Can you confirm this please ?

So what would be the solution to authenticate a user ?

  • Is it possible with Sanctum and if yes, how ?

  • Perhaps with Passport, but I think that it's too complex just for my problem, Passport is probably more appropriated if I need to give access to the API outside of the application itself.

  • Otherwise a simple JSON web token ?

  • Can you suggest me some other solutions ?

Thanks for your help.

V

0 likes
2 replies
vincent15000's avatar

I have tested the AI suggestion for Sanctum : configure the stateful domains dynamically via a middleware.

But I think that Laravel does already the same with Sanctum::currentApplicationUrlWithPort() in the sanctum configuration file.

'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
    '%s%s',
    // 'localhost,localhost:3000,localhost:5173,127.0.0.1,127.0.0.1:5173,127.0.0.1:8000,51.91.67.137:2080,::1',
    '',
    Sanctum::currentApplicationUrlWithPort()
))),

I think that I have the answer : impossible with Sanctum given that it's necessary to have the back and the from in the same domain.

When reading once again the Sanctum documentation, I think that an API token authentication could work.

https://laravel.com/docs/11.x/sanctum#api-token-authentication

What do you think about it according to my problem ?

Please or to participate in this conversation.