Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, in the Sanctum documentation I was reading this but I can't think of any reason why this is a bad choice. I want to use API tokens in my frontend. Is it not secure?
You should not use API tokens to authenticate your own first-party SPA. Instead, use Sanctum's built-in SPA authentication features.
@martinzeltin Where in the quoted text does it say it’s bad? It doesn’t. It’s just telling you using the actual built-in SPA authentication feature is more appropriate for, well, authentication in a SPA.
If you’re going to build a SPA, it’s better to just use tools how they’re meant to be used.
Please or to participate in this conversation.