PHPackages daniel-de-wit/lighthouse-sanctum - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. daniel-de-wit/lighthouse-sanctum ActiveLibrary[Authentication & Authorization](/categories/authentication) daniel-de-wit/lighthouse-sanctum ================================ Laravel Sanctum support for Laravel Lighthouse. 4.0.0(1y ago)61115.9k—1.9%8[3 issues](https://github.com/daniel-de-wit/lighthouse-sanctum/issues)[2 PRs](https://github.com/daniel-de-wit/lighthouse-sanctum/pulls)MITPHPPHP ^8.2CI passing Since Apr 27Pushed 1y ago3 watchersCompare [ Source](https://github.com/daniel-de-wit/lighthouse-sanctum)[ Packagist](https://packagist.org/packages/daniel-de-wit/lighthouse-sanctum)[ Docs](https://github.com/daniel-de-wit/lighthouse-sanctum)[ RSS](/packages/daniel-de-wit-lighthouse-sanctum/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (16)Versions (18)Used By (0) Lighthouse Sanctum ================== [](#lighthouse-sanctum) [![Software License](https://camo.githubusercontent.com/074b89bca64d3edc93a1db6c7e3b1636b874540ba91d66367c0e5e354c56d0ea/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e737667)](LICENSE.md)[![Tests](https://github.com/daniel-de-wit/lighthouse-sanctum/actions/workflows/tests.yml/badge.svg)](https://github.com/daniel-de-wit/lighthouse-sanctum/actions/workflows/tests.yml)[![Coverage Status](https://camo.githubusercontent.com/0a01284bdface4ae11fabe1f1d68e699b18052fb52c439bc929a945b92c7f905/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f64616e69656c2d64652d7769742f6c69676874686f7573652d73616e6374756d2f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/daniel-de-wit/lighthouse-sanctum?branch=master)[![PHPStan](https://camo.githubusercontent.com/441b5874ce4df0a2defc892979c96c46889b69cb32119d04f0b48626349f8bc9/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d656e61626c65642d627269676874677265656e2e7376673f7374796c653d666c6174)](https://github.com/phpstan/phpstan)[![Latest Version on Packagist](https://camo.githubusercontent.com/328b2693a16d2d256448616b9c4c8b840c6d7e378b09212a1114266a0b9e5bc0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f64616e69656c2d64652d7769742f6c69676874686f7573652d73616e6374756d2e737667)](https://packagist.org/packages/daniel-de-wit/lighthouse-sanctum)[![Total Downloads](https://camo.githubusercontent.com/a46b39967f5339c054fb44acaa477f67a35ad90bb6850a2b46ad27a6790be339/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f64616e69656c2d64652d7769742f6c69676874686f7573652d73616e6374756d2e737667)](https://packagist.org/packages/daniel-de-wit/lighthouse-sanctum) Add [Laravel Sanctum](https://github.com/laravel/sanctum) support to [Lighthouse](https://github.com/nuwave/lighthouse) - [Requirements](#requirements) - [Installation](#installation) - [Usage](#usage) - [Login](#login) - [Logout](#logout) - [Register](#register) - [Email Verification](#email-verification) - [Forgot Password](#forgot-password) - [Reset Password](#reset-password) - [Custom Identification](#custom-identification) Requirements ------------ [](#requirements) - [laravel/sanctum:^3.0 || ^4.0](https://github.com/laravel/sanctum) - [nuwave/lighthouse:^6](https://github.com/nuwave/lighthouse) Installation ------------ [](#installation) #### 1. Install using composer: [](#1-install-using-composer) ``` composer require daniel-de-wit/lighthouse-sanctum ``` #### 2. Publish configuration and schema [](#2-publish-configuration-and-schema) ``` php artisan vendor:publish --tag=lighthouse-sanctum ``` #### 3. Import the published schema into your main GraphQL schema (`./graphql/schema.graphql`) [](#3-import-the-published-schema-into-your-main-graphql-schema-graphqlschemagraphql) ``` type Query type Mutation #import sanctum.graphql ``` #### 4. HasApiTokens [](#4-hasapitokens) Apply the `Laravel\Sanctum\HasApiTokens` trait to your Authenticatable model as [described in the Laravel Sanctum documentation](https://laravel.com/docs/8.x/sanctum#issuing-api-tokens). ``` use Illuminate\Auth\Authenticatable; use Laravel\Sanctum\Contracts\HasApiTokens as HasApiTokensContract; use Laravel\Sanctum\HasApiTokens; class User extends Authenticatable implements HasApiTokensContract { use HasApiTokens; } ``` #### 5. Configuration [](#5-configuration) This package relies on [API Token Authentication](https://laravel.com/docs/8.x/sanctum#api-token-authentication), which uses stateless Bearer tokens to authenticate requests. By default, [Laravel Sanctum](https://laravel.com/docs/8.x/sanctum) assumes that requests made from localhost should use the stateful [Spa Authentication](https://laravel.com/docs/8.x/sanctum#spa-authentication) instead. To disable this behaviour, remove any lines within the stateful section of your sanctum configuration: ``` // File: ./config/sanctum.php /* |-------------------------------------------------------------------------- | Stateful Domains |-------------------------------------------------------------------------- | | Requests from the following domains / hosts will receive stateful API | authentication cookies. Typically, these should include your local | and production domains which access your API via a frontend SPA. | */ 'stateful' => [ // Remove entries here ], ``` Make sure the following middleware is enabled for Lighthouse: ``` // File: ./config/lighthouse.php 'middleware' => [ ... \Nuwave\Lighthouse\Support\Http\Middleware\AttemptAuthentication::class, ... ], ``` Configure Lighthouse to use the Sanctum guard: ``` // File: ./config/lighthouse.php /* |-------------------------------------------------------------------------- | Authentication Guard |-------------------------------------------------------------------------- | | The guard to use for authenticating GraphQL requests, if needed. | This setting is used whenever Lighthouse looks for an authenticated user, for example in directives | such as `@guard` and when applying the `AttemptAuthentication` middleware. | */ 'guard' => 'sanctum', ``` Usage ----- [](#usage) - [Login](#login) - [Logout](#logout) - [Register](#register) - [Email Verification](#email-verification) - [Resend Email Verification Link](#resend-email-verification-link) - [Forgot Password](#forgot-password) - [Reset Password](#reset-password) - [Update Password](#update-password) ### Login [](#login) Authenticate the user to receive a Bearer token. ``` mutation { login(input: { email: "john.doe@gmail.com" password: "secret" }) { token } } ``` Apply the Authorization header on subsequent calls using the token ``` "Authorization": "Bearer 1|lJo1cMhrW9tIUuGwlV1EPjKnvfZKzvgpGgplbwX9" ``` (Using something other than email? See [Custom Identification](#custom-identification)) ### Logout [](#logout) Revoke the current token. ``` mutation { logout { status message } } ``` ### Register [](#register) Successfully registering a user will immediately yield a bearer token (unless email verification is required). ``` mutation { register(input: { name: "John Doe" email: "john.doe@gmail.com" password: "secret" password_confirmation: "secret" }) { token status } } ``` ☝️ **Want to disable password confirmation?** Update your schema [![](https://user-images.githubusercontent.com/3015394/116370867-1c6dda00-a80b-11eb-8fc4-e51166faa883.png)](https://user-images.githubusercontent.com/3015394/116370867-1c6dda00-a80b-11eb-8fc4-e51166faa883.png) When registering a user in combination with the `MustVerifyEmail` contract you can optionally define the url for email verification. Both `__ID__` and `__HASH__` will be replaced with the proper values. When `use_signed_email_verification_url` is enabled in the configuration, the placeholders `__EXPIRES__` and `__SIGNATURE__` will be replaced. ``` mutation { register(input: { name: "John Doe" email: "john.doe@gmail.com" password: "secret" password_confirmation: "secret" verification_url: { url: "https://my-front-end.com/verify-email?id=__ID__&token=__HASH__" # Signed: url: "https://my-front-end.com/verify-email?id=__ID__&token=__HASH__&expires=__EXPIRES__&signature=__SIGNATURE__" } }) { token status } } ``` ### Email Verification [](#email-verification) The verification\_url provided at `register` or `resendEmailVerification` contains the `id` and `hash` for the mutation: ``` mutation { verifyEmail(input: { id: "1" hash: "af269947ed80d4a7bc3f78a6dfd05ec369373f9d" }) { status } } ``` When `use_signed_email_verification_url` is enabled in the configuration, the input requires two additional fields. ``` mutation { verifyEmail(input: { id: "1" hash: "af269947ed80d4a7bc3f78a6dfd05ec369373f9d" expires: 1619775828 signature: "e923636f1093c414aab39f846e9d7a372beefa7b628b28179197e539c56aa0f0" }) { status } } ``` ### Resend Email Verification Link [](#resend-email-verification-link) Use default Laravel email verification notification. ``` mutation { resendEmailVerification(input: { email: "john.doe@gmail.com", }) { status } } ``` Or use the custom verification flow by uncommenting the `verification_url` argument within the `ResendEmailVerificationInput`: ``` input ResendEmailVerificationInput { email: String! @rules(apply: ["email"]) verification_url: VerificationUrlInput! } ``` Example mutation: ``` mutation { resendEmailVerification(input: { email: "john.doe@gmail.com", verification_url: { url: "https://my-front-end.com/verify-email?id=__ID__&token=__HASH__" # or use signed url: # url: "https://my-front-end.com/verify-email?id=__ID__&token=__HASH__&expires=__EXPIRES__&signature=__SIGNATURE__" } }) { status } } ``` ### Forgot Password [](#forgot-password) Sends a reset password notification. Optionally use custom reset url using both `__EMAIL__` and `__TOKEN__` placeholders. ``` mutation { forgotPassword(input: { email: "john.doe@gmail.com" reset_password_url: { url: "https://my-front-end.com/reset-password?email=__EMAIL__&token=__TOKEN__" } }) { status message } } ``` ### Reset Password [](#reset-password) Reset the user's password. ``` mutation { resetPassword(input: { email: "john.doe@gmail.com", token: "af269947ed80d4a7bc3f78a6dfd05ec369373f9d" password: "secret" password_confirmation: "secret" }) { status message } } ``` ☝️ **Want to disable password confirmation?** Update your schema [![](https://user-images.githubusercontent.com/3015394/116374360-8045d200-a80e-11eb-891b-c9395d4e91a0.png)](https://user-images.githubusercontent.com/3015394/116374360-8045d200-a80e-11eb-891b-c9395d4e91a0.png) ### Update Password [](#update-password) Updates the current user's password. ``` mutation { updatePassword(input: { current_password: "mypass", password: "secret", password_confirmation: "secret" }) { status } } ``` ### Custom Identification [](#custom-identification) You can customize which fields are used for authenticating users. For example, using `username` instead of the default `email`. ``` /* |-------------------------------------------------------------------------- | Identification |-------------------------------------------------------------------------- | | Configure the credential fields by which the user will be identified. | Default: email */ 'user_identifier_field_name' => 'username', ``` Update the GraphQL schema accordingly ``` input LoginInput { username: String! @rules(apply: ["required"]) } ``` Docker ------ [](#docker) Develop locally using [Docker](https://www.docker.com/) & [Docker Compose](https://docs.docker.com/compose/). #### Setup [](#setup) This will build the Docker image and prepare the container. ``` make setup ``` - CLI: `make app` - Destroy: `make destroy` #### CLI [](#cli) Enter the container with shell to start developing. ``` make app ``` #### Destroy [](#destroy) Shutdown and remove the container. ``` make app ``` Testing ------- [](#testing) ``` composer test ``` Coverage -------- [](#coverage) ``` composer coverage ``` Static Analysis --------------- [](#static-analysis) ``` composer analyze ``` Contributing ------------ [](#contributing) Please see [CONTRIBUTING](CONTRIBUTING.md) for details. Credits ------- [](#credits) - [Daniel de Wit](https://github.com/daniel-de-wit) - [wimski](https://github.com/wimski) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 50 — FairBetter than 96% of packages Maintenance45 Moderate activity, may be stable Popularity46 Moderate usage in the ecosystem Community18 Small or concentrated contributor base Maturity73 Established project with proven stability Bus Factor1 Top contributor holds 64.2% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~96 days Recently: every ~244 days Total 16 Last Release 406d ago Major Versions 1.4.0 → 2.0.02022-03-06 2.3.0 → 3.0.02023-05-09 3.1.0 → 4.0.02025-04-07 PHP version history (5 changes)1.0.0PHP ^7.4 || ^8.0 2.0.0PHP ^8.0.2 2.3.0PHP ^8.0.2 || ^8.1.0 || ^8.2.0 3.0.0PHP ^8.1 4.0.0PHP ^8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/280a3fc65bcb018cdda3598076ca8040dbe6786970b2317d14d6f5f61d50a6c5?d=identicon)[daniel-de-wit](/maintainers/daniel-de-wit) ![](https://www.gravatar.com/avatar/bfe7e708e746b4cb582e1a0d5ab112d153ea4884baddd805c8ba46be7d8d0da1?d=identicon)[wimski](/maintainers/wimski) --- Top Contributors [![daniel-de-wit](https://avatars.githubusercontent.com/u/3015394?v=4)](https://github.com/daniel-de-wit "daniel-de-wit (111 commits)")[![wimski](https://avatars.githubusercontent.com/u/12373573?v=4)](https://github.com/wimski "wimski (59 commits)")[![czim](https://avatars.githubusercontent.com/u/11831617?v=4)](https://github.com/czim "czim (1 commits)")[![mvdstam](https://avatars.githubusercontent.com/u/7629384?v=4)](https://github.com/mvdstam "mvdstam (1 commits)")[![xorinzor](https://avatars.githubusercontent.com/u/4212335?v=4)](https://github.com/xorinzor "xorinzor (1 commits)") --- Tags lighthouselaravel-sanctumlighthouse-sanctum ### Code Quality TestsPHPUnit Static AnalysisPHPStan, Rector Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/daniel-de-wit-lighthouse-sanctum/health.svg) ``` [![Health](https://phpackages.com/badges/daniel-de-wit-lighthouse-sanctum/health.svg)](https://phpackages.com/packages/daniel-de-wit-lighthouse-sanctum) ``` ### Alternatives [spatie/laravel-permission Permission handling for Laravel 12 and up 12.9k89.8M1.0k](/packages/spatie-laravel-permission)[laravel/pulse Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application. 1.7k12.1M99](/packages/laravel-pulse)[roots/acorn Framework for Roots WordPress projects built with Laravel components. 9682.1M97](/packages/roots-acorn)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 8359.8M53](/packages/php-open-source-saver-jwt-auth)[laragear/two-factor On-premises 2FA Authentication for out-of-the-box. 339785.3k8](/packages/laragear-two-factor)[aedart/athenaeum Athenaeum is a mono repository; a collection of various PHP packages 245.2k](/packages/aedart-athenaeum) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)