README

SecureSanctum is a Laravel package that extends the capabilities of Laravel Sanctum by providing enhanced token management, device control, expiration handling, and advanced authentication flow.

Features

• Secure personal access token generation
• Token expiration (configurable)
• Device name storage
• Token abilities (scopes)
• Token revocation & cleanup
• Limit maximum devices per user
• Optional support for refresh tokens (configurable)
• Fully integrated with Laravel out of the box

Installation

composer require amreljako/secure-sanctum

Make sure you already have Laravel Sanctum installed.

Configuration

1. Publish the configuration file:

php artisan vendor:publish --tag=secure-sanctum-config

1. The published config file: config/secure_sanctum.php

return [
    'token_expiry_days' => 30,
    'allow_multiple_devices' => true,
    'refresh_token_enabled' => true,
    'max_devices_per_user' => 3,
];

Migration

Run the built-in migration to create the user_tokens table:

php artisan migrate

Routes

The package registers these routes automatically (under /api/secure-auth):

Login Example

Request

POST /api/secure-auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secret"
}

Response

{
  "access_token": "plain-text-token",
  "expires_in_days": 30
}

Token Usage

Add the token to your API requests using the Authorization header:

Authorization: Bearer plain-text-token

Token Schema

Table: user_tokens

Programmatic Usage

You can create and validate tokens using the TokenManager service:

use Amreljako\SecureSanctum\Services\TokenManager;

$token = app(TokenManager::class)->createToken($user, 'MyDevice', ['*'], 7);

Validate a token manually:

$record = app(TokenManager::class)->validateToken($plainToken);

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

License

This package is open-sourced software licensed under the MIT license.