Skip to main content
AnimeThemes Server uses Laravel Sanctum to provide token-based authentication for API requests. This guide covers token generation, usage, and management.

Configuration

Sanctum configuration is defined in config/sanctum.php.

Stateful Domains

Domains that receive stateful API authentication cookies: 
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
    '%s%s',
    'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
    Sanctum::currentApplicationUrlWithPort()
))),
Configure via environment variable: 
SANCTUM_STATEFUL_DOMAINS=localhost,example.com

Authentication Guards

Sanctum checks the web guard for authentication: 
'guard' => ['web'],

Token Expiration

Tokens expire after 1 year: 
'expiration' => CarbonInterval::year()->totalMinutes,
This can be customized to any duration. Set to null for tokens that never expire.

Generating Tokens

The User model uses the HasApiTokens trait from Laravel Sanctum (app/Models/Auth/User.php:69): 
use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens;
    // ...
}

Via Filament Panel

Currently, the primary method to generate tokens is through the Filament admin panel:
  1. Log in to the admin panel at /admin
  2. Navigate to your user profile
  3. Generate a new personal access token
  4. Copy and securely store the token

Programmatically (for reference)

Tokens can be created programmatically using: 
$token = $user->createToken('token-name');

// Access the plain-text token
$plainTextToken = $token->plainTextToken;
Note: The plain-text token is only available at creation time and cannot be retrieved later.

Using Tokens

Authorization Header

Include the token in the Authorization header using the Bearer scheme: 
GET /api/me HTTP/1.1
Host: api.animethemes.moe
Authorization: Bearer 1|abcdefghijklmnopqrstuvwxyz1234567890

cURL Example

curl https://api.animethemes.moe/api/me \
  -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  -H "Accept: application/json"

JavaScript/Fetch Example

const response = await fetch('https://api.animethemes.moe/api/me', {
  headers: {
    'Authorization': 'Bearer YOUR_TOKEN_HERE',
    'Accept': 'application/json'
  }
});

const user = await response.json();

PHP/Guzzle Example

use GuzzleHttp\Client;

$client = new Client([
    'base_uri' => 'https://api.animethemes.moe',
    'headers' => [
        'Authorization' => 'Bearer YOUR_TOKEN_HERE',
        'Accept' => 'application/json',
    ]
]);

$response = $client->get('/api/me');

Python/Requests Example

import requests

headers = {
    'Authorization': 'Bearer YOUR_TOKEN_HERE',
    'Accept': 'application/json'
}

response = requests.get('https://api.animethemes.moe/api/me', headers=headers)
user = response.json()

Middleware

The Sanctum authentication middleware is applied to protected routes.

Authenticate Middleware

Example from MyController (app/Http/Controllers/Api/Auth/User/Me/MyController.php:25): 
public function __construct()
{
    $this->middleware(Authenticate::using('sanctum'));
}
This ensures only authenticated requests can access the endpoint.

Protected Routes

User Endpoints

The following endpoints require authentication: Current User 
GET /api/me
Returns authenticated user information. User Playlists 
GET /api/me/playlist
Returns user’s playlists. External Profiles 
GET /api/me/externalprofile
Returns user’s connected external profiles (MAL, AniList, etc.). Notifications 
GET /api/me/notification
PUT /api/me/notification/readall
PUT /api/me/notification/{notification}/read
PUT /api/me/notification/{notification}/unread
Manage user notifications.

Token Management

Token Model

Tokens are stored using Laravel Sanctum’s PersonalAccessToken model. The User model defines the relationship (app/Models/Auth/User.php:59): 
/**
 * @property Collection<int, PersonalAccessToken> $tokens
 */

Revoking Tokens

Tokens can be revoked programmatically: 
// Revoke a specific token
$user->tokens()->where('id', $tokenId)->delete();

// Revoke all tokens
$user->tokens()->delete();

// Revoke current token
$request->user()->currentAccessToken()->delete();

Security Best Practices

Token Storage

  • Never commit tokens to version control
  • Store securely in environment variables or secure vaults
  • Use HTTPS only for API requests with tokens
  • Rotate tokens regularly for enhanced security

Token Scope

While Sanctum supports token abilities/scopes, AnimeThemes Server currently relies on role-based permissions instead.

Rate Limiting

Authenticated requests may have different rate limits than anonymous requests. Users with the bypass api rate limiter permission are exempt from rate limiting.

Troubleshooting

401 Unauthorized

  • Verify token is included in Authorization header
  • Ensure token format is Bearer TOKEN
  • Check token hasn’t been revoked
  • Verify token hasn’t expired

403 Forbidden

  • User is authenticated but lacks required permissions
  • See Permissions documentation

Invalid Token Format

Sanctum tokens have the format: {token_id}|{plain_text_token} Example: 1|abcdefghijklmnopqrstuvwxyz1234567890

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us