🔒 Protect API with Laravel Sanctum

✅ Why Use Laravel Sanctum?

• Secure API authentication 🔑
• Supports SPA & mobile apps 📱
• Lightweight & easy to use 🚀

---

1️⃣ Step 1: Install Laravel Sanctum

Run this in your Laravel project:

composer require laravel/sanctum

Then, publish the Sanctum config file:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"

Run database migration to create the necessary token tables:

php artisan migrate

---

2️⃣ Step 2: Configure Sanctum Middleware

In app/Http/Kernel.php, add Sanctum's middleware:

use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;

protected $middlewareGroups = [
    'api' => [
        EnsureFrontendRequestsAreStateful::class,
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];

---

3️⃣ Step 3: Enable Sanctum in User Model

Modify app/Models/User.php:

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
}

---

4️⃣ Step 4: Create API Login with Sanctum Token

Modify routes/api.php:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
use App\Models\User;
use Illuminate\Support\Facades\Hash;

Route::post('/login', function (Request $request) {
    $user = User::where('email', $request->email)->first();

    if (!$user || !Hash::check($request->password, $user->password)) {
        return response()->json(['error' => 'Invalid credentials'], 401);
    }

    // Generate Sanctum token
    $token = $user->createToken('auth-token')->plainTextToken;

    return response()->json(['token' => $token, 'user' => $user]);
});

✅ Now, users can log in and get an API token! 🎉

---

5️⃣ Step 5: Protect Routes with Sanctum

Modify routes/api.php:

Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
    return $request->user();
});

Only authenticated users with a valid Sanctum token can access this route.

---

6️⃣ Step 6: Test API with Postman

1️⃣ Login & Get Token:
Send a POST request to /api/login with:

{
  "email": "[email protected]",
  "password": "password"
}

You’ll receive:

{
  "token": "1|H8xj8lqO9x...",
  "user": { "id": 1, "name": "John Doe" }
}

2️⃣ Use Token to Access Protected Routes:
Send a GET request to /api/user with Authorization: Bearer {token}`

✅ If the token is valid, you'll get user details!

---

🔥 Done! Your API is Secure! 🚀

Now, all API routes are protected with Laravel Sanctum! 🎯