Authentication is one of those topics that every developer has wrestled with. It’s deceptively simple on the surface — users log in, sessions are tracked, and protected routes are enforced. But once you move into single‑page applications (SPAs), mobile clients, and cross‑domain APIs, the complexity skyrockets.
For years, Laravel developers leaned on Passport, Laravel’s OAuth2 implementation. Passport was powerful, but it often felt like using a sledgehammer to crack a nut. If all you wanted was SPA authentication or issuing simple API tokens, Passport introduced unnecessary complexity: OAuth clients, refresh tokens, scopes, and a learning curve that didn’t match the problem.
By 2025, the ecosystem has matured. Laravel Sanctum has become the default choice for SPA authentication. It’s lightweight, secure, and designed for modern browser practices. Most importantly, it eliminates the “Passport headaches” while still giving you flexibility when you need tokens for mobile or third‑party integrations.
🚀 Why Sanctum Is the Modern Choice
Sanctum was introduced as a simpler alternative to Passport, and over time it has proven itself as the go‑to solution for SPAs. Here’s why:
- Cookie‑based session auth: Sanctum leverages Laravel’s built‑in session cookies, which are secure, HTTP‑only, and automatically handled by browsers. No need to store tokens in
localStorageorsessionStorage(which are vulnerable to XSS attacks). - CSRF protection baked in: Sanctum integrates seamlessly with Laravel’s CSRF middleware, ensuring requests are safe.
- Personal access tokens: For mobile apps or external clients, Sanctum can issue tokens without requiring a full OAuth2 server.
- No OAuth overhead: You don’t need to configure clients, scopes, or refresh tokens unless your use case truly demands it.
- Future‑proof: Sanctum aligns with modern SameSite cookie policies and cross‑domain security practices.
In short: Sanctum is simple where you want it, flexible where you need it.
🛠️ Step 1: Installing Sanctum
Start by pulling Sanctum into your Laravel project:
composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrateThis installs Sanctum and creates the necessary tables for personal access tokens.
📊 Step 2: Middleware Configuration
In app/Http/Kernel.php, update your API middleware group:
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],This middleware ensures that requests from your SPA are treated as “stateful” — meaning they carry cookies and session context.
🎨 Step 3: SPA Authentication Flow
Here’s how Sanctum makes SPA auth painless:
- Login request: The SPA sends credentials to
/login. - Session cookie issued: Sanctum sets an HTTP‑only cookie.
- Subsequent requests: The browser automatically includes the cookie.
- CSRF protection: Sanctum ensures requests are safe via CSRF tokens.
No manual token storage. No refresh token juggling. Just clean, secure cookies.
Example Login Controller
public function login(Request $request)
{
$credentials = $request->only('email', 'password');
if (Auth::attempt($credentials)) {
$request->session()->regenerate();
return response()->json(['message' => 'Logged in successfully']);
}
return response()->json(['message' => 'Invalid credentials'], 401);
}📈 Step 4: Using Sanctum Tokens (Optional)
For mobile apps or external clients, Sanctum supports issuing personal access tokens:
$user = User::find(1);
$token = $user->createToken('mobile-app')->plainTextToken;This gives you the flexibility of API tokens without the full OAuth2 complexity.
🔧 Step 5: Frontend Integration (Vue/React)
On the frontend, you simply call your Laravel API with axios or fetch. Example with Axios:
import axios from 'axios';
axios.defaults.withCredentials = true;
axios.get('/api/user')
.then(response => {
console.log(response.data);
});Because Sanctum uses cookies, you don’t need to manually attach tokens — the browser handles it.
🧩 Comparing Sanctum vs Passport in 2025
| Feature | Passport (OAuth2) | Sanctum (SPA + Tokens) |
|---|---|---|
| Complexity | High | Low |
| Best for | Third‑party OAuth | SPAs, mobile apps |
| Token management | Refresh tokens, scopes | Simple personal tokens |
| Cookie‑based auth | ❌ | ✅ |
| CSRF protection | Manual setup | Built‑in |
| Learning curve | Steep | Gentle |
Passport still has its place if you’re building a full OAuth2 server or need advanced scopes. But for 90% of modern Laravel apps, Sanctum is the right tool.
🌐 Real‑World Example: SaaS Dashboard
Imagine you’re building a SaaS dashboard in 2025. Your frontend is a Vue SPA, and your backend is Laravel. With Sanctum:
- Users log in via
/login. - Sanctum issues a secure cookie.
- The SPA fetches
/api/userto get the authenticated user. - Charts, tables, and analytics load seamlessly without token headaches.
- If you later build a mobile app, you issue personal access tokens.
This flow is clean, secure, and scalable.
🔮 Looking Ahead
As browsers tighten security policies, cookie‑based authentication is becoming the standard. Sanctum’s design aligns perfectly with these trends:
- SameSite cookies prevent CSRF attacks.
- HTTP‑only cookies protect against XSS.
- Stateful middleware ensures SPAs behave like first‑class citizens.
By 2025, Sanctum isn’t just an alternative to Passport — it’s the default choice for Laravel developers building SPAs and APIs.
🧭 Final Thoughts
If you’re still wrangling with Passport for a single‑page app, it’s time to let go of the headaches. Sanctum is:
- Simpler than Passport.
- Safer than storing JWTs in localStorage.
- Flexible enough for both SPAs and mobile apps.
In 2025, Laravel Sanctum has cemented itself as the modern way to handle SPA authentication. It’s the sweet spot between simplicity and power — and it’s the authentication solution your next project deserves.