At some point, a client asks: "Can our ERP system pull data from this app automatically?" Or a power user wants to connect your platform to their own tooling. Or a partner wants to build an integration.

The answer used to require building a full OAuth server — scopes, authorization flows, refresh tokens, the whole thing. That's weeks of work. Laravel Sanctum cuts that down to a day. API tokens, scoped permissions, and proper revocation without the overhead.

What Sanctum Is (and Isn't)

Sanctum handles two things: SPA authentication (cookie-based for your own front-end) and API token authentication (for external clients and integrations). We're focused on the token side here.

It's not a full OAuth2 server. If you need to let arbitrary third parties authorize on behalf of users the way "Sign in with Google" works, you want Passport. But for the common case — issuing tokens to known partners, power users, or your own mobile app — Sanctum is exactly right. Simpler, faster, and easier to maintain.

Getting It Running

composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate

Add the HasApiTokens trait to your User model:

use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable;
}

Protect your API routes:

Route::middleware('auth:sanctum')->group(function () {
    Route::get('/orders', [OrderController::class, 'index']);
    Route::post('/orders', [OrderController::class, 'store']);
});

That's the foundation. Any request to these routes needs a valid Bearer token.

Issuing Tokens

Creating a token is one line:

$token = $user->createToken('partner-integration', ['orders:read'])->plainTextToken;

The second argument is the list of abilities — scopes, in plain terms. This token can read orders but nothing else. When the partner hits your API, you check abilities in the controller:

if (!$request->user()->tokenCan('orders:read')) {
    abort(403);
}

You store only a hashed version of the token. The plain text goes to the partner once. If they lose it, they get a new one. This is the right security model — you can never leak what you don't have.

Token Management

Tokens are rows in the personal_access_tokens table. You can list them, revoke them, and scope them per user. Build a simple UI in your admin panel and partners can manage their own tokens without your involvement.

// List all tokens for a user
$user->tokens;

// Revoke a specific token
$user->tokens()->where('id', $tokenId)->delete();

// Revoke all tokens (useful if an account is compromised)
$user->tokens()->delete();

Revocation is instant. No sessions to invalidate, no caches to clear. The token stops working immediately.

The Business Angle

API access isn't just a technical feature — it's a revenue and retention lever. Integrations make your platform sticky. When a partner's ERP is pulling data from your app daily, switching costs go up dramatically. When power users can build their own workflows on top of your platform, they become champions for it internally.

I've seen straightforward Sanctum integrations unlock partnership conversations that had stalled because the technical path felt too complex. "How do we connect to your system?" is a much better problem to have than "why would we use your system?"

The token model also gives you visibility. You know exactly which partner is making which calls, how frequently, and whether anything looks wrong. That's operational intelligence you wouldn't have with shared credentials.

If you're at the point where partners are asking about integrations, let's talk about the right scope for your API. Most of the time it's less work than you'd expect.

Looking for the latest on this? Read Cloudflare Opened OAuth to Everyone. The Default Integration Credential Just Changed..