Working with Laravel Sanctum in Paw

How to get Paw to work with Laravel's Sanctum SPA authentication
Ahmet Özışık · Founder · June 22nd, 2020

Laravel has recently launched a new authentication gate called Sanctum. In this post, I'll show you how to set up Paw so that it plays nicely with Sanctum's SPA Authentication, which uses Laravel's built-in session authentication.


To make sure we're on the same page, here's my setup:

  1. Fresh Laravel 7.x installation, with Sanctum enabled (I'm using only the SPA mode).
  2. Paw (v3) with the following extension installed: Laravel CSRF Token Dynamic Value

If you're set too, let's go.

Let's do this

Step 1. Get the CSRF cookie

In Paw, add a new request that calls GET /sanctum/csrf-cookie You can name this request "Get Sanctum CSRF cookie."

Step 2. The login endpoint

Let's create another request that'll call POST /login (or the login endpoint of yours). Configure the request like this:

Don't forget to set up the values for email/password accordingly.

If everything goes right, you'll get back an user object, and a bunch of cookies that sign you in.

Step 3. Don't forget to set the referer

All is good until this point. But don't forget to set the "Referer" header when calling a protected endpoint, because otheriwse you'll get 401 Unauthenticated.

Let's see an example:

baseUrl here points at the Laravel application. The path does not seem to matter, only the domain must match.

If something goes wrong?

You can take a look at Paw's documentation. In most cases, resetting the session (deleting all the cookies) works fine.

Good luck!

Complete monitoring toolkit for Laravel apps. Now in private beta!

Learn more