The Laravel Sanctum setup that actually works (and what trips most people up)

I've set up Sanctum in probably 8 or 9 Laravel projects at this point — payroll systems, SaaS tools, e-commerce APIs. Every time I onboard a junior dev or review someone's code, I see the same 3-4 mistakes repeated. So here's the setup that works, plus the exact things that will silently break it. First: what Sanctum actually does Sanctum issues a plain-text token, stores a hashed version in your personal_access_tokens table, and validates it on every request with a database lookup. That's it. No JWT, no signatures, no decoding — just a DB row. This is why token revocation is trivially easy with Sanctum and nightmarish with JWT. Delete the row, the token is dead instantly. The setup (Laravel 12) Step 1 — Install (Laravel 10 and below only) Laravel 11 and 12 ship with Sanctum already. If you're on 10: composer require laravel/sanctum php artisan vendor:publish --provider = "Laravel \S anctum \S anctumServiceProvider" php artisan migrate Step 2 — Add the trait to your User model This is