By Laravel comes packed with many ways to authenticate users. When installing a new application and wanting to add authentication to it, your choices are not limited. The options available for user authentication within Laravel include:
As we can see, there are many installable packages that aim to make the whole process of Laravel authentication simple and easy for any software developer to get started.
However, it may be overwhelming at times to determine which user authentication system to use. This article aims to cover what each package is and when it is a good idea to choose one over the others. We'll go over each package one by one with some practical examples. By the end of this, you'll have a better idea of which package might be right for you and how to get started with it. Let's jump in!
Laravel's default Auth facade
Before we take a look at the installable packages that can be used to authenticate our users, it may be important to note that Laravel can authenticate users without having to install any additional packages. One may use the default Auth facade authentication system that ships with the framework.
Basic authentication with the Auth facade
If you want to use the Auth facade in your Laravel application, just ensure that your database has a record for the user that you want to authenticate; thus, we can simply find the user and log them in as follows:
use Illuminate\Support\Facades\Auth;
use App\Models\User;
$user = User::where('email', 'email@example.com');
Auth::login($user);
This will authenticate the user and create the session as needed. You are free to build whatever custom logic you want around this Facade. A small note and something to remember is that all the packages and installable options available within the Laravel ecosystem will make use of this Facade and the login() method to generate authentication sessions.
Logging a user out
Logging out an authenticated user is even easier. Just use:
Auth::logout();
Attempting authentication
Usually, when you're authenticating a user, you're doing it with user-provided credentials. These may or may not be accurate, and you should use the attempt() method to compare a hashed version of the password string to the hashed password string in your database:
if (Auth::attempt(['email' => 'email@example.com', 'password' => 'password'])) { // Do something you only want to do for authenticated users
}
Validating the credentials without creating a session
Sometimes you may want to validate that a user provided correct credentials without actually "logging them in," or creating a session. You can do this with the conveniently named validate() method:
if (Auth::validate(['email' => 'email@example.com', 'password' => 'password'])) {
// Do something you only want to do if credentials are valid
}
For more information about how Laravel handles this and what is available to you directly from the framework, check out the complete documentation.
Laravel Breeze
If you are looking for a simple and easy-to-customize authentication process, then Laravel Breeze is the authentication system for you. Breeze is the easiest and most customizable of all the options available within the ecosystem. Out of the box, Breeze will provide you with the following:
- Login
- Registration
- Password Reset
- Password Confirmations
- Profile Management
- Email Verification
Furthermore, all of this will come fully unit-tested. Sure, you could do this yourself, but you'd also have to test and maintain this core functionality. For most projects, Breeze is the perfect starting point.
When installing Breeze, you can also choose the type of project you would like to build, and the package will scaffold the required dependencies for you. This makes Breeze a great way to begin a project. Need Livewire? Breeze will automatically install Livewire and connect all the authentication to use Livewire. Do you prefer Inertia? Simply choose which stack you want to work with when installing, and from there, you are ready to build. Pretty neat!
API authentication with Laravel Breeze
Although Breeze is primarily designed for web-based applications, it can be extended to support API authentication. By combining Breeze with Laravel Sanctum (which we'll cover a bit later), you can build hybrid applications with both web and API access.
When to use Laravel Breeze
For small to medium projects or when starting a new Laravel app, Breeze offers the right balance of simplicity and flexibility. It’s a solid foundation that doesn’t get in your way but scales with your project needs.
For more advanced authentication workflow requirements, such as applications with groups and teams, Laravel Jetstream may be more suitable. With Laravel Breeze, two-factor authentication isn't built-in, but it's a standard feature for Laravel Jetstream. We'll go over that next.
To get started with Laravel Breeze, check out the complete documentation.
Laravel Jetstream
Laravel Jetstream is a more complicated version of Breeze in that it gives you a lot more features available to use. Jetstream comes with the following out of the box:
- Login
- Registration
- Profile Management
- Password Reset
- Email Verification
- Two-factor Authentication (2FA)
- Teams Management
- Browser Sessions Management
- API Tokens & Permissions
The docs are packed full of examples and methods for overriding the default behavior, so if Jetstream sounds like your cup of tea, I recommend starting there.
When you install Laravel Jetstream, you'll need to configure your preferred front end stack - Liveware and Blade or Inertia.js and Vue.js (or React).
Customizing Laravel Jetstream
While Jetstream is powerful, it’s more opinionated than Breeze and can feel complex to customize. However, it’s fully extendable if you're familiar with Laravel's service container and middleware.
When using Laravel Jetstream, you are able to choose which features you would like to have enabled and can expand the features as you go. The main difference between Jetstream and Breeze is the ease of use. In my personal opinion, Jetstream is a little harder to customize, although it is fully customizable for someone who knows what they are doing.
When is Jetstream the right choice?
Jetstream is a good option if you are looking to build a fully fledged web app. If you need advanced authentication features like 2FA, API tokens, and session management, Jetstream is a reasonable choice. Jetstream is also a good option if your application requires multi-tenancy or team-based access and you don't want to write that from scratch.
Comparing Laravel Breeze vs Jetstream is pretty easy - Laravel Breeze is easy and lightweight. Meanwhile, Laravel Jetstream is harder to implement but enables more features like multi-tenancy and teams.
To get started with Laravel Jetstream and learn more about what it can do, check out the complete documentation.
Laravel Fortify
Laravel Fortify is a front end agnostic implementation of the authentication process. What this means is the package installed will provide all the needed authentication backend tools to get started, leaving the entire front end of your app up to you. It has plenty of features, most of which match Laravel Jetstream (but without the front end).
Out of the box, Fortify will provide the backend implementation for the following:
- Login
- Registration
- Password Management
- Two-Factor Authentication
- Email Verification
An authentication package without any front end?
We have previously discussed Laravel Jetstream, which makes use of Laravel Fortify for its complete implementation. Fortify is a great option for anyone who wants to get started with authentication quickly but would prefer to handle the auth logic without being coupled to any UI options that come with the other authentication options.
Since Fortify doesn’t provide front end scaffolding, you need to create the necessary views and login page yourself. This makes it extremely flexible and allows seamless integration with front end frameworks like Vue.js, React, or even custom Blade templates.
When to use Laravel Fortify
Fortify is really best suited for applications where you need full control over the front end. Perhaps you want to build a custom authentication flow without relying on pre-built UI components or you're integrating with a not-so-flexible front end SPA.
It's also a handy option if you just need to build a headless authentication system for an API that is going to be used by a mobile application. For developers comfortable crafting custom UIs or integrating with front end frameworks, Fortify provides unmatched flexibility and security.
Installing Fortify on your project is simple and fully documented; check out the complete documentation.
Laravel Sanctum
Unlike the other methods of authentication described above, Sanctum is an API authentication system. This is really helpful for API-based or SPA-based applications.
When building an SPA or PI, the client (a web browser) typically makes a request to retrieve an authentication token. This token is then passed to subsequent requests that tell the application whether the token is allowed to access specific types of data. Laravel Sanctum offers a simple way to create these tokens.
Setting up Laravel Sanctum
The installation of Sanctum is essentially only going to install a Trait and a Middleware that will hook into your existing authentication system. This allows you to build an app UI using one of the methods implemented above and then implement sanctum on top of it for anything extra.
Laravel Breeze vs Sanctum
While Laravel Breeze is a good choice for full-stack apps, Sanctum is more suited for API development or creating a mechanism of authentication for a single-page application. If you're just building authentication for an API or SPA, choose Sanctum. If you're building a server-rendered app, Breeze is a more appropriate choice.
When is Laravel Sanctum the right choice?
Sanctum is a great choice when dealing with mobile apps or providing additional API endpoints to an existing application. The use case for these simple "personal access tokens" is vast and can be applied in many circumstances.
Sanctum also supports cookie-based session authentication, eliminating the need to manage the API tokens. This is a better option for SPAs but not a good fit for APIs.
For more information on Laravel Sanctum, as well as installation instructions, check out the complete documentation.
Laravel Passport
Laravel Passport functions the same as Sanctum. However, the biggest difference is that Passport makes use of the OAuth protocol. Thus, the app will need to grant access before API calls can be made. Think about "Login With Facebook" or "Connect to GitHub", these are examples of OAuth.
Laravel Passport provides a way for users to obtain an API key by connecting their app to your app. Once the connection is successful, an API key will be given for the connection.
In most cases, Laravel Passport is not preferred over Laravel Sanctum, and this should be considered when building your application. Passport should only be used when the requirement is to build an OAuth system. It is important to note that Passport requires considerable knowledge and server management to keep it up and running.
Once Passport is installed, and keys have been generated, it functions the same as Sanctum in providing a middleware to authenticate requests.
When to Use Laravel Passport
Laravel Passport might be the right option for you if some of these are true:
- You need OAuth2 for third-party app integrations.
- You're building something that offers external API access.
- Your application really needs complex scope-based permissions and token lifecycle management.
Laravel Passport vs Sanctum
For simpler applications or internal APIs, Laravel Sanctum is a more lightweight choice than Laravel Passport and has the added bonus of being easier to implement. The main difference between Sanctum and Passport is OAuth, so you'll just have to decide if that's a requirement for your application. Still, keep in mind that Passport is the industry-standard solution when your application requires OAuth2.
To learn more about Laravel Passport, check out the complete documentation.
Which Option Should You Choose?
With all the options above, we can see that it is easy to get overwhelmed by the choices, and it may be difficult at times to decide which one to use.
In my personal opinion, if you are going to be building an application from scratch, the best choice would be Laravel Breeze. Simply install it, publish all files, and hack away on your next application. It's great for small and medium projects, is fully customizable while providing a solid starting point for login and registration flows, and even helps you handle password resets!
Furthermore, if you will be extending an existing application but want to make use of the "Laravel Way", then Laravel Fortify is for you! Install the package and refactor each feature to use the new methods provided. Laravel Fortify only ships with backend authentication logic, so you'll have complete UI control. It also supports login, registration, password resets, and even 2FA. It's a great choice if you already have a custom front end or are building a backend for a mobile app.
Additionally, if you want to build a quick MVP but do not care too much about how it looks, I would go with Jetstream and refactor after the initial MVP phase. It's more opinionated than your other options but it's quick to get something useful done. It even has team management as an option.
Moreover, if you need an API, use any of the above methods that fits your preference and then slap Sanctum on top of it.
However, in most cases, Laravel Breeze is the easiest and simplest to work with without locking you into any hidden pieces of code or methodologies.
Building Laravel authentication in your own apps
The Laravel authentication ecosystem is vast, and each of the above packages is actively maintained, which means that they will get better over time. This makes Laravel a good choice for your next application. With so many approaches to authentication implementation, developers have the freedom to build whatever they want with as much freedom as they could ever need. What will you build next?
