I’m building a Laravel API with Sanctum authentication and testing it with Postman but all I can get is a 401 Unauthorized response. The project is a clear Laravel 10 project with Sanctum. I’ve installed it, migrated it’s tables and executed the default DatabaseSeeder.
As I want to this API to work as a back-end for multiple front-end in different applications, I want to work with Sanctum Tokens(Is there a better option?). I’ve copied the token creation route from this doc(just changed device_name property name to token_name, didn’t touched anything more) into routes/api.php:
Route::post('/sanctum/token', function (Request $request) {
$request->validate([
'email' => 'required|email',
'password' => 'required',
'token_name' => 'required',
]);
$user = User::where('email', $request->email)->first();
if (!$user || !Hash::check($request->password, $user->password)) {
throw ValidationException::withMessages([
'email' => ['The provided credentials are incorrect.'],
]);
}
return $user->createToken($request->token_name)->plainTextToken;
});
I’ve changed the following points event though I don’t know if it’s needed as Laravel docs don’t mention them(found these on web searches):
-
config/cors.php (changed default value
falsetotrue):'supports_credentials' => true, -
Http/Kernel.php (uncommented following line):
LaravelSanctumHttpMiddlewareEnsureFrontendRequestsAreStateful::class,
This is my Postman request:
I’m not sure how to overcome this problem. I don’t want to start any front-end app without making sure API routes works.
2
Answers
Personally, if you plan on using multiple frontend clients for the API, I’d use Passport instead.
But, if you want to use Sanctum, a few things to check:
Make sure you’ve updated app->config->auth.php file to update the guard used for each route. For example, I use sanctum for Web auth, passport for API based auth:
‘guards’ => [
‘web’ => [
‘driver’ => ‘session’,
‘provider’ => ‘users’,
],
‘api’ => [
‘driver’ => ‘passport’,
‘provider’ => ‘users’,
],
],
Make sure your User model / controller has sanctum auth references where appropriate. For instance, my User model uses (using passport but same concept):
use IlluminateFoundationAuthUser as Authenticatable;
use LaravelPassportHasApiTokens;
However, you should make sure you enable this middleware before going live with a client UI as it’s a significant security vulnerability.
Those are the three main items I’ve run into that cause issues if not setup properly. Also, when you make updates like this, make sure to run php artisan cache:clear and php artisan config:clear just to be safe you’re not running into caching issues.
In your Postman request, you are targeting a web route
/sanctum/token, while you mplemented the authentication route in your api routes that should be/api/sanctum/tokenIts weird that you are getting 401 response, when you should have gotten 404 response.
Other than that, I don’t see any problem with your implemention, once you use the
/api/sanctum/tokenin your postman request with correct headers (Accept,Content-Type) you should get the proper response based on your route configuration either invalid credintials or plain text token which you can then store somewhere and add it on Authorization header for sub-sequent request.So, first issue a plain text token via user authentication
Once sucessful, saved the plaintext token, then use it on sub-sequent request protect by auth sanctum middleware e.i.
you have this api route
then your request
In summry, always append
/apiin your base URL if you are targetting an API route