- Web (session-based) — Inertia React pages for human users. Powered by Laravel’s built-in session guard.
- API (token-based) — REST endpoints for mobile apps and third-party integrations. Powered by Laravel Sanctum.
auth:sanctum routes.
Auth surfaces at a glance
| Method | Driver | Guard | Primary use case | Base path |
|---|---|---|---|---|
| Session | session | web | Inertia React UI, Filament admin | / |
| Sanctum token | sanctum | api | Mobile apps, REST API clients | /api/v1 |
| OTP (passwordless) | Custom | api | Consumer login without a password | /api/v1/otp |
| Social OAuth | Socialite / Sanctum | api | Google, Facebook, Apple, GitHub, Twitter | /api/v1/auth/social |
Security features
Rate limiting is applied at the route level using named throttle aliases:throttle:api— general API rate limitthrottle:api.otp-generation— strict limit on OTP generation (3 requests/hour per identifier)throttle:api.verification— limit on OTP and coupon verification attemptsthrottle:api.transactions— limit on order creation
/verify-email/{id}/{hash}) and file download endpoints.
Tenant ownership isolation is enforced by the tenant.ownership middleware on all protected tenant routes, preventing cross-tenant data access (IDOR).
Session rotation is performed on login and impersonation exit to prevent session-fixation attacks.
Explore auth topics
Web authentication
Register, login, password reset, email verification, and profile management via Inertia React pages.
API authentication
Sanctum token issuance, protected routes, and push subscription management.
One-time passwords
Passwordless login flow with OTP generation, verification, and idempotency.
Social login
OAuth via Google, Facebook, Apple, GitHub, and Twitter through a single API endpoint.
Roles and permissions
Spatie Permission roles, tenant ownership middleware, and impersonation.