Skill

laravel-auth

Use when implementing user authentication, API tokens, social login, or authorization. Covers Sanctum, Passport, Socialite, Fortify, policies, and gates for Laravel 12.

From fuse-laravel

Install

Run in your terminal

npx claudepluginhub fusengine/agents --plugin fuse-laravel

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

references/authentication.md

references/authorization.md

references/csrf.md

references/encryption.md

references/fortify.md

references/hashing.md

references/passport.md

references/passwords.md

references/sanctum.md

references/session.md

references/socialite.md

references/starter-kits.md

references/templates/FortifySetup.php.md

references/templates/GatesAndPolicies.php.md

references/templates/LoginController.php.md

references/templates/PassportSetup.php.md

references/templates/PasswordResetController.php.md

references/templates/PostPolicy.php.md

references/templates/SocialiteController.php.md

references/templates/sanctum-setup.md

Skill Content

Similar Skills

ui-ux-pro-max

Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.

ui-ux-pro-max

57.6k

context7-mcp

Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.

context7-plugin

51.4k

context7-cli

3 files

Uses ctx7 CLI to fetch current library docs, manage AI coding skills (install/search/generate), and configure Context7 MCP for AI editors.

context7

50.8k

Stats

Parent Repo Stars4

Parent Repo Forks0

Last CommitFeb 7, 2026

Actions

View Source View Plugin View on GitHub View README

Laravel Authentication & Authorization

Agent Workflow (MANDATORY)

Before ANY implementation, use TeamCreate to spawn 3 agents:

fuse-ai-pilot:explore-codebase - Check existing auth setup, guards, policies
fuse-ai-pilot:research-expert - Verify latest Laravel 12 auth docs via Context7
mcp__context7__query-docs - Query specific patterns (Sanctum, Passport, etc.)

After implementation, run fuse-ai-pilot:sniper for validation.

Overview

Laravel provides a complete authentication and authorization ecosystem. Choose based on your needs:

Package	Best For	Complexity
Starter Kits	New projects, quick setup	Low
Sanctum	API tokens, SPA auth	Low
Fortify	Custom UI, headless backend	Medium
Passport	OAuth2 server, third-party access	High
Socialite	Social login (Google, GitHub)	Low

Critical Rules

Use policies for model authorization - Not inline if checks
Always hash passwords - Hash::make() or 'hashed' cast
Regenerate session after login - Prevents fixation attacks
Use HTTPS in production - Required for secure cookies
Define token abilities - Principle of least privilege

Architecture

app/
├── Http/
│   ├── Controllers/
│   │   └── Auth/              ← Auth controllers (if manual)
│   └── Middleware/
│       └── Authenticate.php   ← Redirects unauthenticated
├── Models/
│   └── User.php               ← HasApiTokens trait (Sanctum)
├── Policies/                  ← Authorization policies
│   └── PostPolicy.php
├── Providers/
│   └── AppServiceProvider.php ← Gate definitions
└── Actions/
    └── Fortify/               ← Fortify actions (if used)
        ├── CreateNewUser.php
        └── ResetUserPassword.php

config/
├── auth.php                   ← Guards & providers
├── sanctum.php                ← API token config
└── fortify.php                ← Fortify features

FuseCore Integration

When working in a FuseCore project, authentication follows the modular structure:

FuseCore/
├── Core/                      # Infrastructure (priority 0)
│   └── App/Contracts/
│       └── AuthServiceInterface.php  ← Auth contract
│
├── User/                      # Auth module (existing)
│   ├── App/
│   │   ├── Models/User.php    ← HasApiTokens trait
│   │   ├── Http/
│   │   │   ├── Controllers/
│   │   │   │   ├── AuthController.php
│   │   │   │   └── TokenController.php
│   │   │   ├── Requests/
│   │   │   │   ├── LoginRequest.php
│   │   │   │   └── RegisterRequest.php
│   │   │   └── Resources/UserResource.php
│   │   ├── Policies/UserPolicy.php
│   │   └── Services/AuthService.php
│   ├── Config/
│   │   └── sanctum.php        ← Sanctum config (module-level)
│   ├── Database/Migrations/
│   ├── Routes/api.php         ← Auth routes
│   └── module.json            # dependencies: []
│
└── {YourModule}/              # Depends on User module
    ├── App/Policies/          ← Module-specific policies
    └── module.json            # dependencies: ["User"]

FuseCore Auth Checklist

Auth code in /FuseCore/User/ module
Policies in module's /App/Policies/
Auth routes in /FuseCore/User/Routes/api.php
Sanctum config in /FuseCore/User/Config/sanctum.php
Declare "User" dependency in other modules' module.json
Use auth:sanctum middleware in module routes

Cross-Module Authorization

// In FuseCore/{Module}/Routes/api.php
Route::middleware(['api', 'auth:sanctum'])->group(function () {
    Route::apiResource('posts', PostController::class);
});

// In FuseCore/{Module}/App/Http/Controllers/PostController.php
public function update(UpdatePostRequest $request, Post $post)
{
    $this->authorize('update', $post);  // Uses PostPolicy
    // ...
}

→ See fusecore skill for complete module patterns.

Decision Guide

Authentication Method

Need auth scaffolding? → Starter Kit
├── Yes → Use React/Vue/Livewire starter kit
└── No → Building custom frontend?
    ├── Yes → Use Fortify (headless)
    └── No → API only?
        ├── Yes → Sanctum (tokens)
        └── No → Session-based

Token Type

Third-party apps need access? → Passport (OAuth2)
├── No → Mobile app?
│   ├── Yes → Sanctum API tokens
│   └── No → SPA on same domain?
│       ├── Yes → Sanctum SPA auth (cookies)
│       └── No → Sanctum API tokens

Key Concepts

Concept	Description	Reference
Guards	Define HOW users authenticate (session, token)	authentication.md
Providers	Define WHERE users are retrieved from (database)	authentication.md
Gates	Closure-based authorization for simple checks	authorization.md
Policies	Class-based authorization tied to models	authorization.md
Abilities	Token permissions (Sanctum/Passport scopes)	sanctum.md

Reference Guide

Concepts (WHY & Architecture)

Topic	Reference	When to Consult
Authentication	authentication.md	Guards, providers, login flow
Authorization	authorization.md	Gates vs policies, access control
Sanctum	sanctum.md	API tokens, SPA authentication
Passport	passport.md	OAuth2 server, third-party access
Fortify	fortify.md	Headless auth, 2FA
Socialite	socialite.md	Social login providers
Starter Kits	starter-kits.md	Auth scaffolding
Email Verification	verification.md	MustVerifyEmail, verified middleware
Password Reset	passwords.md	Forgot password flow
Session	session.md	Session drivers, flash data
CSRF	csrf.md	Form protection, AJAX tokens
Encryption	encryption.md	Data encryption (not passwords)
Hashing	hashing.md	Password hashing

Templates (Complete Code)

Template	When to Use
LoginController.php.md	Manual authentication controllers
GatesAndPolicies.php.md	Gates and policy examples
PostPolicy.php.md	Complete policy class with before filter
sanctum-setup.md	Sanctum configuration + testing
PassportSetup.php.md	OAuth2 server setup
FortifySetup.php.md	Fortify configuration + 2FA
SocialiteController.php.md	Social login + testing
PasswordResetController.php.md	Password reset flow

Best Practices

DO

Use starter kits for new projects
Define policies for all models
Set token expiration
Rate limit login attempts
Use verified middleware for sensitive actions
Prune expired tokens regularly

DON'T

Store plain text passwords
Skip session regeneration on login
Use Passport when Sanctum suffices
Forget to prune expired tokens
Ignore HTTPS in production
Put authorization logic in controllers