-
(+91) 9998562168
-
(+91) 9998562168
Laravel
Postman is a popular API client that helps developers make, test, and document API requests. In this article, we will discuss how to configure Postman to generate tokens through the Laravel Sanctum API and access protected routes. We will try to login, get user data and logout the user from the app. We already explained Laravel Sanctum and how to install it on your project.
This article shows you how to set up Postman for testing your API routes. However, you could also use Insomnia or other HTTP clients to do the same thing. They all have similar setups, and you can easily follow our instructions.
Laravel Sanctum provides a simple way to authenticate your frontend app using API tokens. These tokens usually have a very long expiration time (years) but can be revoked by the user at any time.
Laravel Sanctum does this by keeping user API tokens in a database table and checking incoming HTTP requests through the Authorization header, which must have a valid API token.
We need to create an AuthController that will handle the token generation for our users. First, create the controller using the command:
php artisan make:controller API/AuthController
Then, open the newly created AuthController located at app/Http/Controllers/API/AuthController.php and add the following code:
namespace App\Http\Controllers\API;
use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;
class AuthController extends Controller
{
// Method to handle user authentication and token generation
public function generateToken(Request $request)
{
$request->validate([
'email' => 'required|email',
'password' => 'required',
]);
if (! Auth::attempt($request->only('email', 'password'))) {
return response()->json([
'message' => 'The provided credentials are incorrect.'
], 401);
}
$user = User::where('email', $request->email)->first();
$token = $user->createToken('Token for user ' . $user->email)->plainTextToken;
return response()->json(['token' => $token], 200);
}
// Method to handle user logout and token revocation
public function logout(Request $request)
{
// // Revoke the current token
$request->user()->currentAccessToken()->delete();
return response()->json([
'message' => 'You have been successfully logged out.'
], 200);
}
}
The generateToken method validates the user's credentials and then generates a new token with the specified ability. The logout method handles the logout process while revoking all user API tokens.
Sanctum provides middleware that can be applied to your API routes to protect them. This makes sure that only authenticated requests can access those routes.
You can protect your routes by applying the auth:sanctum middleware to your routes in routes/api.php.
The /auth/token route is open for unauthenticated users, while the /auth/logout route is protected by the auth:sanctum middleware, ensuring that only authenticated users can access it. Let's do that now.
use App\Http\Controllers\API\UserController;
use App\Http\Controllers\API\PostController;
use App\Http\Controllers\API\AuthController;
// Public routes, unprotected
Route::post('/auth/token', [AuthController::class, 'generateToken']);
Route::middleware(['auth:sanctum'])->group(function () {
// Protected User API routes
Route::get('/users', [UserController::class, 'index']);
Route::get('/users/{id}', [UserController::class, 'show']);
// Protected Post API routes
Route::get('/posts', [PostController::class, 'index']);
Route::get('/posts/{id}', [PostController::class, 'show']);
// Logout route
Route::post('/auth/logout', [AuthController::class, 'logout']);
});
With this middleware in place, only authenticated requests with a valid Sanctum token can access the protected routes. We created these routes in a previous article named Laravel 11 for Beginners: API Resources. However, this time we have grouped the routes that need to have the Sanctum middleware, so make sure you make these changes on your end.
Start by creating a collection with the name of the project you work with, for example Blog. In this collection, you will add all the requests that you need for the authentication process and for making changes to the Blog posts.
Create the blog environment for saving the token data and apiUrl that is needed to simplify the API calls. Click the Environment quick look button on the top right corner and click Add on the Environment section.
Change the name of the New Environment to blog. Now create a variable for the apiUrl with the Initial value and Current value set to http://localhost:8000.
You need to create a new request, change the name to Login and the request type to POST. The address should be {{apiUrl}}/api/auth/token. Navigate to the Headers tab and add the Accept key with the value application/json.
On the Body tab you need to choose form-data and add the email and password for your user.
If you did everything right, you should get the token as a response. The user is logged in. Now, you need to copy the token and send it with every other request you make.
Open your Laravel application and modify the routes/api.php file to include a new route. Let's use the following example:
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;
Route::get('/user', function (Request $request) {
return $request->user();
})->middleware('auth:sanctum');
The following code will return some information about the user that is currently logged in. Back to Postman, you need to create a new GET request and name it Get User. Change the address to {{apiUrl}}/api/user. This one doesn't need anything in the Body tab, but for the Headers tab you need to include again the Accept key with the value application/json. On the Authorization tab you need to choose Bearer Token and add the API token you received during login. That's it!
Create a new POST request, name it Logout and change the route to {{apiUrl}}/api/auth/logout. This is similar to the Login request. Navigate to the Headers tab and add the Accept key with the value application/json. On the Authorization tab you need to choose Bearer Token and add the API token you received during login. Click send and you have logged out from your app.
Now you have all the information you need to create requests for authentication, user data retrieval, and logout. These steps are important for handling API token authentication using Laravel Sanctum and Postman.
