Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
We'd like to use Laravel Sanctum to issue API keys / personal access tokens for users, with some modifications:
AccessRestriction with each token, which is simply a model whose properties would define security-related authorization rules for the key (such as the HTTP referrer or IP address the request must come from).personal_access_tokens table, so we can store additional metadata for each token (or at least the id of some model where we'd store that, such as PersonalAccessTokenMetadata)I'm also unclear about how the abilities property works, especially if we're using something like spatie/laravel-permission to further determine what the API key is authorized to do.
For the added DB table columns, I suppose we could simply override Sanctum's default migration.
And I assumed that we could create separate middlewares for authorizing based on referrer/IP and for checking against rate limits - then require all API requests to first go through the auth:sanctum middleware for authentication and then those additional middlewares for authorization.
However, I'm a little fuzzy on how we would need to extend Sanctum and get all of this to work together, and just looking for some guidance.
There's an argument that we just roll our own key generation and management system. After all, the only thing Sanctum is really doing is creating a hash of a randomized 80-char string.
Thank you for any advice or guidance!
the only thing Sanctum is really doing is creating a hash of a randomized 80-char string
So not true.
I'm not sure I fully understand what you are asking. Clarify if possible.
Thanks bugsysha!
the only thing Sanctum is really doing is creating a hash of a randomized 80-char string
I didn't mean that's the only thing it does. I know that most are interested in it for SPA authentication. I should have said "the only thing Sanctum is really doing to generate a new key." I meant that if we rolled our own, we would just copy that method and build around it.
I'm also unclear about how the abilities property works, especially if we're using something like spatie/laravel-permission to further determine what the API key is authorized to do.
It's not a problem if we have a non-standard authorization/permissions solution, right? Because we can simply put all of our custom authorization logic in its own middleware which would get hit after an API request gets through the auth:sanctum middleware?
Sanctum is pretty well thought of and rounded product so there is no need to build around it cause you might have issues upgrading or introducing some bugs which can be exploited. And since your version will probably not be used by many sites you might miss that bug.
Generally, it is not a problem to implement your own auth/permissions logic, but since you are asking here I would avoid it cause you probably do not have enough experience to think about all issues that might happen.
Still not sure why would you need to change anything there?
Please or to participate in this conversation.