This video is a salvation to my whole authentication struggle.

Are you kidding me? How does the internet even work with something like that URI decode so obscurely hidden away on this corner of youtube? If I get this thing working I'm gonna hammer away at the laravel maintainers' patience until they let me add all this to the docs! Thank you very much for taking the time to do this!

must watch video for the developer who want to make separate front-end & back-end. usually i don't comment on youtube video but your video make me to comment & appreaciate your hard-word & effort you put in making this video. Thanks.

Excellent video. Since you asked: the "voodoo magic cookie" you mention around 1:03:37 is the cookie that contains your actual session state data because you used the "cookie" SESSION_DRIVER option. If you were to decrypt the value of this cookie, you'd see the data that would normally be stored in a session file, cache system, etc (data like "_token", "_flash", "_previous", etc). In other words, the "livepost_session" cookie value (once decrypted) provides Laravel with your session token. Laravel then looks for a cookie on the request with that name (again, only because you are using the "cookie" session driver), and decrypts the value to get the actual session data. When using an alternate session driver, Laravel uses the same process (decrypting your session cookie to determine the "token"), but will then lookup the actual session data using whichever driver you've selected (cache, file, database, etc). Hope this helps!

THANK YOU FOR THIS! I created a clean Laravel 9 project to go through your tutorial. I have spent the last 8 or so hours on just your first 30 minutes! :') I am thoroughly documenting and testing along the way, and everything makes so much more sense now. Seriously-THANK YOU! I have been struggling with this part of my project.

Thank you, kind sir. You've helped me graduate college.

One of the greatest tutorials I've ever watched! THANK YOU VERY MUCH!

Perfect class. You can use axios which automatically includes the X-XSRF-COOKIE in the header of all the following requests. Thank you very much, congratulations.

This video lesson was extremely useful and the content is really easy to understand, I will refer it to my colleagues. From one professional to another, my most sincere thanks. 🤝

Crystal clear explanation. Thanks for the effort.

Thank you! It's a very nice guide, I watched it with pleasure!

Thank you! Excellent content

I just don't get it... Trying to make requests through Postman and was able to make it work and pre-fetch CSRF token before each request to the local app so it circumvents the CSRF error and I can login by either going to /api/sanctum/token or to a "normal" website login at "/login" URI... However! - When I login through /login I get "unauthenticated" response back after making another GET request through postman to "api/user", which judging by what I saw in your video shouldn't be the case (it should threat this login the same way as it does the "api/sanctum/token" login) ? The only way I can get the "api/user" to not give me "Unauthenticated" error is if I add the bearer token authorization with the request and enter the token I got back when calling "/api/sanctum/token" URI. Or am I missing something here and "api/" route authentication was never supposed to be "compatible" with the Fortify "/login" route authentication and the "cookie based authentication for Sanctum" that you mention in the video is basically just having to send CSRF token along with the bearer token in the headers of any API request made to "api/" routes in the app for extra protection?

after I set up sanctum, I cant hit the endpoints with postman anymore?

Could you please update same with laravel 11.x due to many changes?

this is awesome

if i registered the user using Fortify register route then fortify will automatically login the user too at back-end & when i try to login user from nuxt front-end then laravel redirect to his back-end home page because at back-end side user already logged in which throw an error at front-end side & due to failed request loggedIn state of nuxt/auth package does'nt change to true. I hope you understand the condition. Any solution for this? what should i do? in-short i am trying to say that i can only make the request successful to login or register route for the first time or whenever I click on logout or throw request to logout at server then these login register routes work perfectly for the first time again.

I got unidefined status when I requested register route

why i still get html return even i set false to view in fortify

I can not thank you enough for your precious videos. I feel like there is a little mess in authentication in Laravel, and I wish you clear some doubts. as I understand, when a protected http request arrives to API it first goes through sanctum library to make sure that request was issued by an authenticated user. and lets assume that http request contains bearer token. Then, sanctum relates this token to the user by inspecting the tokens table in database. The request will be considered authenticated if the token in the request is a valid token for some user. I want to ask here, is my perspective right? And if it is right, how does sanctum relate to Laravel guards? and can I make any other object authenticatable by sanctum, like for example other kinds of users, and should I make a costume guard with a provider related to this other user? how can I relate those other users to tokens table and tell sanctum that the tokens in the http request maybe for other entities?

👍👍👍👍👍👍👍

Can you make a video about Laravel Scout and Elasticsearch? I want to see what is the right way to add data’s with relations into elasticsearch and search in elastic. Thank you for a great videos. I subscribed to your channel and turned on notifications 👍

I tried this tutorial, but when register new user I got message Status: 419 unknown status. what happened with my project? Thank you

I have a weird error and any help would be appreciated. I login the user, turn on 2FA by making a POST request to /user/two-factor-authentication. Then I grabbed the recovery codes at GET: /user/two-factor-recovery-codes. So I logged out, logged back in and login response was { "two_factor": false }, even tough I turned it on. So I tried to do a two-factor-challenge with a recovery code, but I got a 422 saying "The provided two factor recovery code was invalid." P.S Great video, you explained this topic really well.