Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Yondasa's avatar

Using Sanctum for Multi-Auth of two different SPA Applications

I am developing a application that consists of a user application and a "admin" application. Both applications are developed using reacts, next.js with session based sanctum authentication.

I implemented a "user" and a "admin" guard and I am facing some issues with my implementation. For example, if I open both apps side by side and login into both of them, I get issues when logging out. If I log out in one of the applications, I am also logged out of the other application as well. Of course, this is because the laravel_session gets destroyed, but what would be the best approach to avoid this from happening?

I use two different tables, one for users and one for admins, since they will not share any pages/views whatsoever.

Is there an elegant way to solve this using sanctums session based authentication or should I consider using JWT for this approach?

0 likes
1 reply
tisuchi's avatar

@yondasa There are a few ways you could approach this, depending on your needs.

One way to handle this with Sanctum is to use different cookie names for each of the applications, so that logging out in one application doesn't affect the other. You can do this by creating two separate Sanctum "guards" in your config/auth.php file, each with a different session guard and cookie name. For example:

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'admin' => [
            'driver' => 'session',
            'provider' => 'admins',
            'session_guard' => 'admin',
            'cookie' => 'admin_session',
        ],
    ],

Another way to do this is to use JWT (JSON Web Tokens) for authentication. JWT tokens are self-contained, meaning they carry all the necessary information to authenticate a user, such as user ID, expiration time, and any other claims you want to include. This allows you to authenticate the user on the client-side, so you don't have to store any session information on the server. This can be a good solution if you want to avoid the "logged out in one app, logged out in all apps" issue, but JWT does have some trade-offs, such as the need to handle token expiration and refreshing.

Ultimately, the best solution for you will depend on your specific use case and requirements. You may consider testing both solution and choose the one that fits your needs better.

Please or to participate in this conversation.