Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

paakwami's avatar

Multiple table auth laravel using api tokens

I have 2 kind of users that uses database, Users and Agents. I created Auth Gaurds

\guards

'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],
        'agents' => [
            'driver' => 'session',
            'provider' => 'agents',
        ],
        'api' => [
            'driver' => 'token',
            'provider' => 'users',
            'hash' => true,
        ],
        'agents_api' => [
            'driver' => 'token',
            'provider' => 'agents',
            'hash' => true,
        ],
    ],

//providers

    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\User::class,
        ],
        'agents' => [
            'driver' => 'eloquent',
            'model' => App\Agents::class,
        ],
    ],

The same code for registering user is stored at 2 different locations corresponding to the 2 routes for the users.

    $validator = Validator::make($request->all(), [
        'email' => 'required|string|email|max:255|unique:agents',
        'password' => 'required|string|min:6',
    ]);
    if($validator->fails()){
        $val = ['validation_error' => $validator->errors()];
        return response()->json($val, 400);
    }

    $user = Agents::create([
        'email' => $request->get('email'),
        'password' => Hash::make($request->get('password')),
    ]);
    return response()->json($user, 200);

When logging in to create the api tokens, the same function is used (works well)

$token = Str::random(80);
        $credentials = $request->only('email', 'password');
        if (Auth::guard('web')->attempt($credentials)) {
            // Authentication passed...
            $request->user('web')->forceFill([
                'api_token' => hash('sha256', $token),
            ])->save();
            $user = Auth::guard('web')->user();
            $val = ['user' => $user, 'token'=> $token];
            return response()->json($val, 200);
        }
elseif(Auth::guard('agents')->attempt($credentials)){
            $request->user('agents')->forceFill([
                'api_token' => hash('sha256', $token),
            ])->save();
            $user = Auth::guard('agents')->user();
            $val = ['user' => $user, 'token'=> $token];
            return response()->json($val, 200);
        }

        $val = ['credential_error' => 'Login details not correct, kindly recheck'];

Now the issue is when i am trying to get the user using the header token, No matter what i do it still responds "unauthenticated"

if(Auth::guard('web')->check()){
            return Auth::guard('web')->user();
        }

        if(Auth::guard('agents')->check()){
            return Auth::guard('agents')->user();
        }

        else{
            return 'unathenticated';
        }
0 likes
1 reply
rodrigo.pedra's avatar

When using a header with the token you should use a guard that checks for the TokenGuard not the SessionGuard. In your case you should check agains the api or api_agents guards:

if(Auth::guard('api')->check()){
    return Auth::guard('api')->user();
}

if(Auth::guard('agents_api')->check()){
    return Auth::guard('agents_api')->user();
}

// no need for else here, as previous 
// `if` clauses have `return` inside them
return 'unathenticated';

Please or to participate in this conversation.