PHPackages                             m-thalmann/laravel-token-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [HTTP &amp; Networking](/categories/http)
4. /
5. m-thalmann/laravel-token-auth

ActiveLibrary[HTTP &amp; Networking](/categories/http)

m-thalmann/laravel-token-auth
=============================

Provides token-based authentication system for Laravel REST APIs

v2.0.0(1y ago)092MITPHPPHP ^8.1

Since Jul 11Pushed 1y ago1 watchersCompare

[ Source](https://github.com/m-thalmann/laravel-token-auth)[ Packagist](https://packagist.org/packages/m-thalmann/laravel-token-auth)[ Docs](https://github.com/m-thalmann/laravel-token-auth)[ RSS](/packages/m-thalmann-laravel-token-auth/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (10)Dependencies (6)Versions (11)Used By (0)

Laravel Token Auth
==================

[](#laravel-token-auth)

[![Build Status](https://github.com/m-thalmann/laravel-token-auth/workflows/tests/badge.svg)](https://github.com/m-thalmann/laravel-token-auth/actions)[![codecov](https://camo.githubusercontent.com/de5fb0e2f93d8a00f6362a92465262c22cb94b8ac7c25d0351555530b5525aa9/68747470733a2f2f636f6465636f762e696f2f67682f6d2d7468616c6d616e6e2f6c61726176656c2d746f6b656e2d617574682f6272616e63682f6d61696e2f67726170682f62616467652e7376673f746f6b656e3d54494649375147474d42)](https://codecov.io/gh/m-thalmann/laravel-token-auth)[![Total Downloads](https://camo.githubusercontent.com/ab97deafa7ce6fd967a5266f257e152b66d41a51c16f1b8b1349efab0b85f577/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d2d7468616c6d616e6e2f6c61726176656c2d746f6b656e2d61757468)](https://packagist.org/packages/m-thalmann/laravel-token-auth)[![Latest Stable Version](https://camo.githubusercontent.com/a604ff53b0f8867dc12ad47439d47b80cc8b40f0d4b162065f4e033050bee555/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6d2d7468616c6d616e6e2f6c61726176656c2d746f6b656e2d61757468)](https://packagist.org/packages/m-thalmann/laravel-token-auth)[![License](https://camo.githubusercontent.com/33cddfd0ba0c55b1b18b70d01df808409eef7b89d428e17894e644c8d13e82e4/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f6d2d7468616c6d616e6e2f6c61726176656c2d746f6b656e2d61757468)](https://github.com/m-thalmann/laravel-token-auth)

Table of contents
-----------------

[](#table-of-contents)

- [Introduction](#introduction)
- [Installation](#installation)
- [Quick start](#quick-start)
    - [Protect routes](#protect-routes)
    - [Revoke tokens](#revoke-tokens)
    - [Prune revoked / expired tokens](#prune-revoked--expired-tokens)

> **See the detailed documentation at: [/docs](/docs/README.md)**

Introduction
------------

[](#introduction)

Laravel Token Auth provides functionality to authenticate Laravel APIs using access and refresh tokens.

It is heavily inspired by [Laravel Sanctum](https://github.com/laravel/sanctum).

### Refresh tokens

[](#refresh-tokens)

Refresh tokens are used to create new access tokens. This way an access token can have only a short expiration time without the need for the user to login again.

To keep these refresh tokens save we can implement refresh token rotation. When a new access token is requested using a refresh token, the new access token and a new refresh token is returned. The used refresh token is then revoked but kept in the database. This way it can be detected if a refresh token is reused.

For more details see:

Installation
------------

[](#installation)

**[`^ back to top ^`](#)**

```
composer require m-thalmann/laravel-token-auth

```

If you want to customize the migrations, configuration run the publish command:

```
php artisan vendor:publish --provider="TokenAuth\TokenAuthServiceProvider"

```

If you only want to customize parts you can run the following:

- **Migrations**: `php artisan vendor:publish --tag="token-auth-migrations"`
- **Configuration**: `php artisan vendor:publish --tag="token-auth-config"`

Next you should run the migrations:

```
php artisan migrate

```

Quick start
-----------

[](#quick-start)

**[`^ back to top ^`](#)**

Add the `HasAuthTokens` trait to the Eloquent user model:

```
use TokenAuth\Concerns\HasAuthTokens;

class User extends Authenticatable
{
  use HasAuthTokens;

  // ...
}
```

Add the following routes for authentication:

> **Info:** Of course you should create your own controllers for this. This is just a simplification.

```
use TokenAuth\Enums\TokenType;
use TokenAuth\Facades\TokenAuth;
use TokenAuth\Models\AuthToken;

Route::post('/login', function (Request $request) {
  $credentials = $request->validate([
    'email' => 'required',
    'password' => 'required',
  ]);

  if (!Auth::once($credentials)) {
    throw new HttpException(401);
  }

  $tokenPair = TokenAuth::createTokenPair(auth()->user())->buildPair();

  return [
    'refresh_token' => $tokenPair->refreshToken->plainTextToken,
    'access_token' => $tokenPair->accessToken->plainTextToken,
  ];
});

Route::post('/logout', function () {
  AuthToken::deleteTokensFromGroup(TokenAuth::currentToken()->getGroupId());
})->middleware('auth:token-access');

Route::post('/refresh', function () {
  // ...

  $tokenPair = TokenAuth::rotateTokenPair(
    TokenAuth::currentToken()
  )->buildPair();

  return [
    'refresh_token' => $tokenPair->refreshToken->plainTextToken,
    'access_token' => $tokenPair->accessToken->plainTextToken,
  ];
})->middleware('auth:token-refresh');

Route::post('/tokens', function () {
  // ...

  /**
   * @var \TokenAuth\Concerns\HasAuthTokens
   */
  $user = auth()->user();

  $accessToken = $user->createToken(TokenType::ACCESS)->build();

  return [
    'access_token' => $accessToken->plainTextToken,
  ];
})->middleware('auth:token-refresh');
```

### Protect routes

[](#protect-routes)

```
Route::get('/private', function () {
  // only allows access tokens ...
})->middleware('auth:token-access');

Route::get('/private-refresh-token', function () {
  // only allows refresh tokens ...
})->middleware('auth:token-refresh');
```

### Revoke tokens

[](#revoke-tokens)

```
Route::get('/revoke/{token}', function (AuthToken $token) {
  $token->revoke()->store();
})->middleware('auth:token-refresh');
```

#### Prune revoked / expired tokens

[](#prune-revoked--expired-tokens)

```
// app/Console/Kernel.php

protected function schedule(Schedule $schedule) {
  // ...
  $schedule->command('model:prune')->daily();
}
```

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance34

Infrequent updates — may be unmaintained

Popularity9

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity62

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~86 days

Recently: every ~190 days

Total

10

Last Release

626d ago

Major Versions

v0.4.1 → v1.0.02023-08-23

v1.0.1 → v2.0.02024-08-24

PHP version history (2 changes)v0.1.0PHP ^8.0

v1.0.0PHP ^8.1

### Community

Maintainers

![](https://www.gravatar.com/avatar/c5cf32a490a924af7802c7f935bdd53e4d8ba0e8dab6c9ebd01c2664d23befef?d=identicon)[m-thalmann](/maintainers/m-thalmann)

---

Top Contributors

[![m-thalmann](https://avatars.githubusercontent.com/u/30590624?v=4)](https://github.com/m-thalmann "m-thalmann (80 commits)")

---

Tags

authenticationlaravellaravel-packagerefresh-tokenstokensapilaravelresttokensauthrefresh-token

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/m-thalmann-laravel-token-auth/health.svg)

```
[![Health](https://phpackages.com/badges/m-thalmann-laravel-token-auth/health.svg)](https://phpackages.com/packages/m-thalmann-laravel-token-auth)
```

###  Alternatives

[api-platform/laravel

API Platform support for Laravel

59126.4k6](/packages/api-platform-laravel)[francescomalatesta/laravel-api-boilerplate-jwt

An API Boilerplate to create a ready-to-use REST API in seconds.

1.2k7.5k](/packages/francescomalatesta-laravel-api-boilerplate-jwt)[dragon-code/laravel-http-logger

Logging incoming HTTP requests

319.8k3](/packages/dragon-code-laravel-http-logger)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)