Use when implementing user authentication, API tokens, social login, or authorization. Covers Sanctum, Passport, Socialite, Fortify, policies, and gates for Laravel 12.
View on GitHubFebruary 2, 2026
Select agents to install to:
npx add-skill https://github.com/fusengine/agents/blob/main/plugins/laravel-expert/skills/laravel-auth/SKILL.md -a claude-code --skill laravel-authInstallation paths:
.claude/skills/laravel-auth/# Laravel Authentication & Authorization
## Agent Workflow (MANDATORY)
Before ANY implementation, launch in parallel:
1. **fuse-ai-pilot:explore-codebase** - Check existing auth setup, guards, policies
2. **fuse-ai-pilot:research-expert** - Verify latest Laravel 12 auth docs via Context7
3. **mcp__context7__query-docs** - Query specific patterns (Sanctum, Passport, etc.)
After implementation, run **fuse-ai-pilot:sniper** for validation.
---
## Overview
Laravel provides a complete authentication and authorization ecosystem. Choose based on your needs:
| Package | Best For | Complexity |
|---------|----------|------------|
| **Starter Kits** | New projects, quick setup | Low |
| **Sanctum** | API tokens, SPA auth | Low |
| **Fortify** | Custom UI, headless backend | Medium |
| **Passport** | OAuth2 server, third-party access | High |
| **Socialite** | Social login (Google, GitHub) | Low |
---
## Critical Rules
1. **Use policies for model authorization** - Not inline `if` checks
2. **Always hash passwords** - `Hash::make()` or `'hashed'` cast
3. **Regenerate session after login** - Prevents fixation attacks
4. **Use HTTPS in production** - Required for secure cookies
5. **Define token abilities** - Principle of least privilege
---
## Architecture
```
app/
├── Http/
│ ├── Controllers/
│ │ └── Auth/ ← Auth controllers (if manual)
│ └── Middleware/
│ └── Authenticate.php ← Redirects unauthenticated
├── Models/
│ └── User.php ← HasApiTokens trait (Sanctum)
├── Policies/ ← Authorization policies
│ └── PostPolicy.php
├── Providers/
│ └── AppServiceProvider.php ← Gate definitions
└── Actions/
└── Fortify/ ← Fortify actions (if used)
├── CreateNewUser.php
└── ResetUserPassword.php
config/
├── auth.php ← Guards & providers
├── sanctum.php ← API token config
└── fortify.php ← Fortify features
```
---
## FuseCore Inte