Authentication is how your application knows who is using it. Laravel makes authentication very simple out of the box β it provides login, registration, session management, and API token authentication with minimal setup.
How Authentication Works
Laravel authentication has two core concepts:
- 1.Guards β define how users are authenticated (session, token, etc.)
- 2.Providers β define where users are stored (database table, Eloquent model)
config/auth.php
'defaults' => [
'guard' => 'web', // Default guard
'passwords' => 'users', // Default password reset
],
'guards' => [
'web' => [
'driver' => 'session', // Uses session cookies
'provider' => 'users',
],
'api' => [
'driver' => 'sanctum', // Uses API tokens
'provider' => 'users',
],
],
'providers' => [
'users' => [
'driver' => 'eloquent', // Uses Eloquent model
'model' => App\Models\User::class,
],
],1. Quick Setup with Starter Kits
The fastest way to add authentication is using Laravel Breeze or Jetstream. They scaffold login, register, password reset, and email verification for you.
Terminal β Laravel Breeze
# Install Breeze
composer require laravel/breeze --dev
# Scaffold auth with Blade views
php artisan breeze:install blade
# Or with Vue / React / API
php artisan breeze:install vue
php artisan breeze:install react
php artisan breeze:install api
# Run migrations and build assets
php artisan migrate
npm install && npm run devBreeze vs Jetstream: Use Breeze for simple authentication. Use Jetstream if you need teams, two-factor auth, API tokens, and profile management.
2. Manual Authentication
If you want full control, you can implement authentication manually.
Registration
app/Http/Controllers/RegisterController.php
use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
class RegisterController extends Controller
{
public function showForm()
{
return view('auth.register');
}
public function register(Request $request)
{
// Validate input
$validated = $request->validate([
'name' => 'required|string|max:255',
'email' => 'required|email|unique:users',
'password' => 'required|min:8|confirmed',
]);
// Create the user
$user = User::create([
'name' => $validated['name'],
'email' => $validated['email'],
'password' => Hash::make($validated['password']),
]);
// Log them in automatically
Auth::login($user);
return redirect('/dashboard');
}
}Login
app/Http/Controllers/LoginController.php
use Illuminate\Support\Facades\Auth;
class LoginController extends Controller
{
public function showForm()
{
return view('auth.login');
}
public function login(Request $request)
{
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required',
]);
// Attempt to authenticate
if (Auth::attempt($credentials, $request->boolean('remember'))) {
$request->session()->regenerate();
return redirect()->intended('/dashboard');
}
// Authentication failed
return back()->withErrors([
'email' => 'The provided credentials do not match.',
])->onlyInput('email');
}
}Logout
Logout
public function logout(Request $request)
{
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/');
}3. Auth Routes
routes/web.php
use App\Http\Controllers\LoginController;
use App\Http\Controllers\RegisterController;
// Guest only routes
Route::middleware('guest')->group(function () {
Route::get('/register', [RegisterController::class, 'showForm']);
Route::post('/register', [RegisterController::class, 'register']);
Route::get('/login', [LoginController::class, 'showForm'])->name('login');
Route::post('/login', [LoginController::class, 'login']);
});
// Authenticated only routes
Route::middleware('auth')->group(function () {
Route::post('/logout', [LoginController::class, 'logout']);
Route::get('/dashboard', function () {
return view('dashboard');
});
});4. Protecting Routes
Use the auth middleware to require authentication:
Different ways to protect routes
// Single route
Route::get('/profile', [ProfileController::class, 'show'])
->middleware('auth');
// Group of routes
Route::middleware('auth')->group(function () {
Route::get('/dashboard', [DashboardController::class, 'index']);
Route::get('/settings', [SettingsController::class, 'index']);
});
// In controller constructor
class ProfileController extends Controller
{
public function __construct()
{
$this->middleware('auth');
}
}5. Using the Auth Helper
Getting Current User Info
use Illuminate\Support\Facades\Auth;
// Get the currently authenticated user
$user = Auth::user();
// Get just the user's ID
$id = Auth::id();
// Check if user is logged in
if (Auth::check()) {
// User is logged in
}
// In Blade templates
@auth
<p>Welcome, ${'{{'} auth()->user()->name ${'}}'}</p>
@endauth
@guest
<a href="/login">Login</a>
@endguest6. API Authentication (Sanctum)
For API authentication (Vue/React SPA or mobile apps), use Laravel Sanctum:
Terminal
# Install Sanctum
php artisan install:apiAPI Login β return token
use Illuminate\Support\Facades\Hash;
public function login(Request $request)
{
$request->validate([
'email' => 'required|email',
'password' => 'required',
]);
$user = User::where('email', $request->email)->first();
if (! $user || ! Hash::check($request->password, $user->password)) {
return response()->json([
'message' => 'Invalid credentials'
], 401);
}
// Create a token
$token = $user->createToken('auth-token')->plainTextToken;
return response()->json([
'user' => $user,
'token' => $token,
]);
}Protect API routes
// routes/api.php
Route::middleware('auth:sanctum')->group(function () {
Route::get('/user', function (Request $request) {
return $request->user();
});
Route::post('/logout', function (Request $request) {
$request->user()->currentAccessToken()->delete();
return response()->json(['message' => 'Logged out']);
});
});Summary
- βGuards & Providers β how and where users are authenticated
- βBreeze / Jetstream β quick scaffolding for auth views
- βManual Auth β register, login, logout with full control
- βMiddleware β protect routes with
authmiddleware - βSanctum β token-based API authentication