Laravel 12 Passport vs. Sanctum – Which One Should You Use?

Authentication is a big deal in web development — it's what keeps your users' data safe and your app secure. Laravel, one of the most popular PHP frameworks, gives you two amazing tools to handle API authentication: Passport and Sanctum.

But which one should you choose for your project? Don’t worry — this guide will help you understand the difference in plain, beginner-friendly language.

🔑 Key Takeaways

• Passport is perfect for apps that need advanced security and OAuth2, like integrations with third-party apps.
• Sanctum is lightweight and ideal for SPAs (Single Page Applications), mobile apps, or simple API token usage.
• Passport is more powerful but complex, while Sanctum is simple and fast to set up.

🧭 Overview: Laravel 12 Authentication

Laravel 12 gives developers two powerful options to handle API authentication:

🛠️ When to Use Passport

Use Passport if your app needs:

• Full OAuth2 support (Authorization Code, Password, Client Credentials, etc.)
• Third-party integration (e.g., Google, Facebook login, or client APIs)
• Advanced features like token expiration, refresh tokens, and revoking access
• Enterprise-level security and user permission control

🍃 When to Use Sanctum

Use Sanctum if your app is:

• A Single Page Application (SPA) built with Vue.js, React, etc.
• A mobile app that connects with Laravel as the backend
• A first-party web app where you control both frontend and backend
• In need of a quick and easy authentication setup

🧰 Installing and Using Laravel Passport

Here’s how you can install and use Passport:

🧪 Step-by-Step

1. Install the package

   composer require laravel/passport
   

2. Run migrations

   php artisan migrate
   

3. Install Passport

   php artisan passport:install
   

4. Update your User model

   use Laravel\Passport\HasApiTokens;
   
   class User extends Authenticatable
   {
       use HasApiTokens, Notifiable;
   }
   

5. Set up API guard in config/auth.php

   'guards' => [
       'api' => [
           'driver' => 'passport',
           'provider' => 'users',
       ],
   ],
   

6. Protect your routes

   Route::middleware('auth:api')->group(function () {
       // Protected routes here
   });
   

7. Optional: Token expiration settings

   use Laravel\Passport\Passport;
   
   Passport::tokensExpireIn(now()->addDays(15));
   Passport::refreshTokensExpireIn(now()->addDays(30));
   

🧰 Installing and Using Laravel Sanctum

Sanctum is easier and faster to get running. Here’s how to do it:

🍃 Step-by-Step

1. Install the package

   composer require laravel/sanctum
   

2. Publish the config file

   php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
   

3. Run the migrations

   php artisan migrate
   

4. Update your User model

   use Laravel\Sanctum\HasApiTokens;
   
   class User extends Authenticatable
   {
       use HasApiTokens, Notifiable;
   }
   

5. Protect your routes

   Route::middleware('auth:sanctum')->group(function () {
       // Protected routes here
   });
   

6. Issue tokens

   $token = $user->createToken('token-name')->plainTextToken;
   

7. Use in API requests

   Authorization: Bearer your_token_here
   

🧩 For SPAs and Mobile Apps (Sanctum)

If you're building a frontend with Vue, React, or a mobile app:

• Sanctum uses cookies for session-based authentication.
• Make sure the SPA shares the same top-level domain as your Laravel backend.
• Add this to .env:

SANCTUM_STATEFUL_DOMAINS=localhost:3000,127.0.0.1:8000

• Then, in your frontend, make a call to /sanctum/csrf-cookie before login to enable CSRF protection.

🔍 Summary: Which One Should You Choose?

📘 Final Thoughts

Both Laravel Passport and Sanctum are excellent tools — it all depends on what your app needs.

• If you're integrating with external services, go with Passport.
• If you're building your own web or mobile frontend, Sanctum will save you time and effort.

Whichever you choose, Laravel makes authentication secure and developer-friendly.