API Laravel Jetstream
- Enabling API Support
- Defining Permissions
- Authorizing Incoming Requests
Jetstream includes first-party integration with Laravel Sanctum. Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / permissions which specify which actions the tokens are allowed to perform.
By default, the API token creation panel may be accessed using the "API" link of the top-right user profile dropdown menu. From this screen, users may create Sanctum API tokens that have various permissions.
For more information on Sanctum and to learn how to issue requests to a Sanctum authenticated API, please consult the official Sanctum documentation.
If your application will be offering an API to third-parties, you must enable Jetstream's API feature. To do so, you should uncomment the relevant entry in the
features configuration option of the
config/jetstream.php configuration file:
'features' => [ Features::profilePhotos(), Features::api(), Features::teams(), ],
The permissions available to API tokens are defined using the
Jetstream::permissions method within your application's
JetstreamServiceProvider. Permissions are just simple strings. Once they have been defined they may be assigned to an API token:
Jetstream::defaultApiTokenPermissions(['read']); Jetstream::permissions([ 'create', 'read', 'update', 'delete', ]);
defaultApiTokenPermissions method may be used to specify which permissions should be selected by default when creating a new API token. Of course, a user may uncheck a default permission before creating the token.
Every request made to your Jetstream application, even to authenticated routes within your
routes/web.php file, will be associated with a Sanctum token object. You may determine if the associated token has a given permission using the
tokenCan method provided by the
Laravel\Sanctum\HasApiTokens trait. This trait is automatically applied to your application's
App\Models\User model during Jetstream's installation:
When a user makes a request to a route within your
routes/web.php file, the request will typically be authenticated by Sanctum through a cookie based
web guard. Since the user is making a first-party request through the application UI in this scenario, the
tokenCan method will always return
At first, this behavior may seem strange; however, it is convenient to be able to always assume an API token is available and can be inspected via the
tokenCan method. This means that within your application's authorizations policies you may always call this method without fear that there is no token associated with the request.