Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, general question about the usage of Sanctum (the laravel package) The current application architecture is like this: A monolithic laravel application that uses the default session based authentication mechanism. In this application "external users" can be defined so that certain data can be accessed by people that don't neccesarily have a full application account. These "external users" should be able to authenticate with a SPA application that will grab data from laravel api endpoints. Would sanctum be a good solution for this? The application user and external user are different tables in the database.
Please ask if I need to provide more information.
@dukesteen My opinion is Yes, Sanctum can be a good solution for this use case. Sanctum allows for token-based authentication for SPA applications that need to access your Laravel API endpoints. It can handle both traditional session-based authentication and token-based authentication, so you can use it to authenticate both your full application users and external users.
@tisuchi So would you say that the external users should use token-based authentication and not the sanctum cookie-based authentication? For now the external users access a portal on a different domain but the portal could probably be put on the same domain as the laravel application under a different subdomain (portal.tenant.site.com)
@dukesteen Yes, I mean to use token-based authentication for external.
@tisuchi Would it be wise to route all traffic through a proxy that sets a httponly cookie with the token instead of calling the api directly from the SPA and storing the token in localStorage for example?
@dukesteen Routing traffic through a proxy that sets a httponly cookie with the token can be a good idea for security reasons.
Using localStorage to store the token can be vulnerable to cross-site scripting (XSS) attacks. With httponly cookie, it would be more difficult for an attacker to steal the token, as it would not be accessible through JavaScript.
@tisuchi Alright, thank you! What are the security implications of using a token that cannot expire? Should I set an expiration for the Sanctum API tokens on the backend of my laravel application?
Please or to participate in this conversation.