Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Looks like the docs consider the SPA as an API: https://laravel.com/docs/9.x/sanctum#protecting-spa-routes, and the Sanctum guard is by default at routes/api.php:
use Illuminate\Http\Request;
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
return $request->user();
});
But I am still not sure where I should put all these requests from the SPA, and should I place the registration file in other place? Or since it's all web requests I still put all the SPA requests in routes/web.php?
@ligonsker What do you mean? If you have a SPA, then you’ll be making HTTP requests using a HTTP client like Axios, or JavaScript’s fetch API.
The routes you’ll be calling (and protected by the auth:sanctum guard) will usually go in your routes/api.php file since they’re being called asynchronously and not as web pages.
Also did you specifically go over this:
https://laravel.com/docs/9.x/sanctum#how-it-works-spa-authentication
Which states:
For this feature, Sanctum does not use tokens of any kind. Instead, Sanctum uses Laravel's built-in cookie based session authentication services.
I suggest going over the chapter again. And just my suggestion only, I would consider passport.
@martinbean @jlrdw thank you, I remember reading a question here on Laracasts forum and I might've confused that someone said you should also use web routes in this case, but again I might've misread something.
@jlrdw - I never dealt with OAuth2, how hard is it to get an OAuth2 server up and running?
Please or to participate in this conversation.