Laravel Authentication: Tokens vs Cookies & When to use which

Copy link

What's Authentication?

First, let's talk about how authentication works. A user will provide their username and password via a login form when using a web browser. If these credentials are correct, the application will store information about the authenticated user in the user's session. A cookie issued to the browser contains the session ID so that the following requests to the application can associate the user with the correct session. After the session cookie is received, the application will retrieve the session data based on the session ID, note that the authentication information has been stored in the session, and will consider the user as "authenticated".

Many web applications provide a way for their users to authenticate with the application and "log in". Implementing this feature in web applications can be complex and potentially risky. For this reason, Laravel strives to give you the tools you need to implement authentication quickly, securely, and easily.

Authentication in Laravel

At its core, Laravel's authentication facilities are comprised of "guards" and "providers". Guards define how users are authenticated for each request. For example, Laravel ships with a session guard which maintains state using session storage and cookies.

When a remote service needs to authenticate to access an API, cookies are not used because there is no web browser. Instead, the remote service sends an API token to the API on each request. The application may validate the incoming token against a table of valid API tokens and "authenticate" the request as being performed by the user associated with that API token. This approach is used most commonly when authenticating a mobile application such as our Hoyo Home mobile app, or a front-end web application that is unable to be placed under the same domain as the back-end API.

Laravel includes built-in authentication and session services which are typically accessed via facades. These features provide cookie-based authentication for requests that are initiated from web browsers. They provide methods that allow you to verify a user's credentials and authenticate the user. In addition, these services will automatically store the proper authentication data in the user's session and issue the user's session cookie.

First-party Solutions Offered By Laravel

Laravel provides two optional packages to assist you in managing API tokens and authenticating requests made with API tokens: Passport and Sanctum.

Passport is an OAuth2 authentication provider, offering a variety of OAuth2 "grant types" which allow you to issue various types of tokens. In general, this is a robust and complex package for API authentication. However, most applications do not require the complex features offered by the OAuth2 spec, which can be confusing for both users and developers. In addition, developers have been historically confused about how to authenticate SPA applications or mobile applications using OAuth2 authentication providers like Passport.

Sanctum is an authentication package that can handle both first-party web requests from a web browser and API requests via tokens. It was built with the goal of being a simpler, more streamlined authentication package. Sanctum should be considered the preferred and recommended authentication package for applications that will be offering a first-party web UI in addition to an API or will be powered by a single-page application (SPA) that exists separately from the backend Laravel application, or applications that offer a mobile client.

Choosing Your Stack

Laravel offers a versatile range of authentication options to suit various project needs. These include cookie authentication, email & password authentication, and social logins like Google and Facebook.

Cookie authentication is a robust choice for traditional web applications, especially when your front-end and API back-end reside on the same domain. However, it may not be suitable if your front-end and API are hosted on different domains.

For applications accessed through browsers and built on Laravel, the built-in cookie authentication services are a straightforward choice.

If your application involves API consumption by third parties, you'll need to decide between Passport and Sanctum for API token authentication. Sanctum is generally preferred due to its simplicity and completeness, offering solutions for API, SPA, and mobile authentication, including support for "scopes" or "abilities."

If you're developing a single-page application (SPA) backed by Laravel, opting for Laravel Sanctum is recommended. When using Sanctum, you can either manually implement your backend authentication routes or leverage Laravel Fortify as a headless authentication backend service, which provides routes and controllers for essential features like registration, password reset, and email verification.

Passport becomes the right choice when your application requires the full range of OAuth2 features.


At Hoyo Tech Laravel has become an integral part of our toolkit. Its robust features, elegant syntax, and vibrant community support have consistently proven to be valuable assets in our daily work. Our trust in Laravel's capabilities is not just a matter of convenience; it's a testament to the reliability and efficiency it brings to our projects.

We wholeheartedly recommend Laravel to all those considering future projects, as it has consistently delivered exceptional results, earning a special place in our hearts as the go-to framework for web application development. With Laravel, the possibilities are boundless, and the results are truly remarkable.


Erit Islami

Full-Stack Engineer

Sep 05, 2023