Does Laravel Sanctum use JWT tokens?

No. Laravel Sanctum does not use JWT by default. Sanctum uses opaque tokens — random strings stored in the personal_access_tokens database table. Every request does a database lookup to validate the token. JWT tokens are self-contained and stateless, requiring no database lookup.

What is the difference between Laravel Sanctum and JWT?

Sanctum uses opaque tokens stored in the database — simple to set up, easy to revoke, requires a DB query per request. JWT is stateless — the token carries the user data itself, no database query needed, but revocation is harder. Use Sanctum for most Laravel APIs. Use JWT when you need stateless cross-service authentication.

Should I use Laravel Sanctum or JWT for my API?

Use Sanctum for most Laravel projects — it's the official package, easier to set up, and tokens are easy to revoke. Use JWT only if you're building microservices that need stateless authentication across multiple independent services.

Does Laravel Sanctum Use JWT? Sanctum vs JWT Explained (2025)

How Laravel Sanctum Tokens Actually Work

When a user authenticates with Sanctum, Laravel generates a random token string and stores a hashed version in the personal_access_tokens table. On each request, the plain token is sent in the Authorization header, Laravel hashes it, and looks it up in the database to find the associated user.

This is the opposite of JWT. There is no payload, no signature verification, no expiry baked into the token itself — all of that lives in the database record.

// Install Sanctum
composer require laravel/sanctum
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
php artisan migrate

// Issue a token on login
$token = $user->createToken('api-token')->plainTextToken;
// Returns: "1|abc123randomstring..."
// The "1" is the token ID in personal_access_tokens table

// Protect routes
Route::middleware('auth:sanctum')->group(function () {
    Route::get('/user', fn(Request $r) => $r->user());
});

How JWT Tokens Work

A JWT is a base64-encoded string with three parts: a header, a payload (user data/claims), and a cryptographic signature. The server validates the signature on every request — no database lookup needed. The token itself proves who the user is.

// Install tymon/jwt-auth
composer require tymon/jwt-auth
php artisan vendor:publish --provider="Tymon\JWTAuth\Providers\LaravelServiceProvider"
php artisan jwt:secret

// Issue a JWT on login
$token = JWTAuth::attempt(['email' => $email, 'password' => $password]);
// Returns: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
// Self-contained — user data is encoded inside the token

// Protect routes
Route::middleware('auth:api')->group(function () {
    Route::get('/user', fn() => auth()->user());
});

Sanctum vs JWT — Full Comparison

Feature	Sanctum	JWT
Token type	Opaque (random string)	Self-contained (encoded payload)
Database lookup per request	Yes	No — stateless
Token revocation	Easy — delete DB row	Hard — needs denylist
Official Laravel package	Yes	No (tymon/jwt-auth)
SPA / cookie auth support	Yes — built in	No
Cross-service / microservices	Limited	Yes — ideal
Setup complexity	Simple	More config needed

Which One Should You Use?

Use Sanctum when:

Building a standard Laravel REST API or SPA
You need token revocation to work reliably (logout, ban user, rotate tokens)
You want official Laravel support and long-term stability
Your app is a single service, not a distributed system

Use JWT when:

Building microservices where multiple independent services need to validate the same token
You need stateless auth with zero database reads on every request
Integrating with non-Laravel systems that expect standard JWT
You need to embed custom claims in the token itself

For the vast majority of Laravel projects — including every API I've built professionally — Sanctum is the right choice. It's simpler, safer by default, and token revocation just works. Reach for JWT only when you genuinely need stateless cross-service authentication, not just because it sounds more sophisticated.

Can You Use JWT with Sanctum?

Not natively — they are separate packages with different approaches. However, you can configure Sanctum to work alongside JWT if needed, or use a package like sanctum-jwt that adds JWT-style tokens to Sanctum. In practice, very few projects need this hybrid approach.