Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From fuse-laravel
Use when implementing user authentication, API tokens, social login, or authorization. Covers Sanctum, Passport, Socialite, Fortify, policies, and gates for Laravel 12.
npx claudepluginhub fusengine/agents --plugin fuse-laravelHow this skill is triggered — by the user, by Claude, or both
Slash command
/fuse-laravel:laravel-authThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Before ANY implementation, use `TeamCreate` to spawn 3 agents:
references/authentication.mdreferences/authorization.mdreferences/csrf.mdreferences/encryption.mdreferences/fortify.mdreferences/hashing.mdreferences/passport.mdreferences/passwords.mdreferences/sanctum.mdreferences/session.mdreferences/socialite.mdreferences/starter-kits.mdreferences/templates/FortifySetup.php.mdreferences/templates/GatesAndPolicies.php.mdreferences/templates/LoginController.php.mdreferences/templates/PassportSetup.php.mdreferences/templates/PasswordResetController.php.mdreferences/templates/PostPolicy.php.mdreferences/templates/SocialiteController.php.mdreferences/templates/sanctum-setup.mdProvides Laravel security best practices for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployments. Useful for auth setup, input handling, APIs, secrets, production hardening.
Build RESTful APIs with Laravel using API Resources, Sanctum authentication, rate limiting, and versioning. Use when creating API endpoints, transforming responses, or handling API authentication.
Guides Laravel security best practices for authn/authz, validation, CSRF/mass assignment protection, file uploads, secrets, rate limiting, session hardening, and secure deployments.
Share bugs, ideas, or general feedback.
Before ANY implementation, use TeamCreate to spawn 3 agents:
After implementation, run fuse-ai-pilot:sniper for validation.
Laravel provides a complete authentication and authorization ecosystem. Choose based on your needs:
| Package | Best For | Complexity |
|---|---|---|
| Starter Kits | New projects, quick setup | Low |
| Sanctum | API tokens, SPA auth | Low |
| Fortify | Custom UI, headless backend | Medium |
| Passport | OAuth2 server, third-party access | High |
| Socialite | Social login (Google, GitHub) | Low |
if checksHash::make() or 'hashed' castapp/
├── Http/
│ ├── Controllers/
│ │ └── Auth/ ← Auth controllers (if manual)
│ └── Middleware/
│ └── Authenticate.php ← Redirects unauthenticated
├── Models/
│ └── User.php ← HasApiTokens trait (Sanctum)
├── Policies/ ← Authorization policies
│ └── PostPolicy.php
├── Providers/
│ └── AppServiceProvider.php ← Gate definitions
└── Actions/
└── Fortify/ ← Fortify actions (if used)
├── CreateNewUser.php
└── ResetUserPassword.php
config/
├── auth.php ← Guards & providers
├── sanctum.php ← API token config
└── fortify.php ← Fortify features
When working in a FuseCore project, authentication follows the modular structure:
FuseCore/
├── Core/ # Infrastructure (priority 0)
│ └── App/Contracts/
│ └── AuthServiceInterface.php ← Auth contract
│
├── User/ # Auth module (existing)
│ ├── App/
│ │ ├── Models/User.php ← HasApiTokens trait
│ │ ├── Http/
│ │ │ ├── Controllers/
│ │ │ │ ├── AuthController.php
│ │ │ │ └── TokenController.php
│ │ │ ├── Requests/
│ │ │ │ ├── LoginRequest.php
│ │ │ │ └── RegisterRequest.php
│ │ │ └── Resources/UserResource.php
│ │ ├── Policies/UserPolicy.php
│ │ └── Services/AuthService.php
│ ├── Config/
│ │ └── sanctum.php ← Sanctum config (module-level)
│ ├── Database/Migrations/
│ ├── Routes/api.php ← Auth routes
│ └── module.json # dependencies: []
│
└── {YourModule}/ # Depends on User module
├── App/Policies/ ← Module-specific policies
└── module.json # dependencies: ["User"]
/FuseCore/User/ module/App/Policies//FuseCore/User/Routes/api.php/FuseCore/User/Config/sanctum.php"User" dependency in other modules' module.jsonauth:sanctum middleware in module routes// In FuseCore/{Module}/Routes/api.php
Route::middleware(['api', 'auth:sanctum'])->group(function () {
Route::apiResource('posts', PostController::class);
});
// In FuseCore/{Module}/App/Http/Controllers/PostController.php
public function update(UpdatePostRequest $request, Post $post)
{
$this->authorize('update', $post); // Uses PostPolicy
// ...
}
→ See fusecore skill for complete module patterns.
Need auth scaffolding? → Starter Kit
├── Yes → Use React/Vue/Livewire starter kit
└── No → Building custom frontend?
├── Yes → Use Fortify (headless)
└── No → API only?
├── Yes → Sanctum (tokens)
└── No → Session-based
Third-party apps need access? → Passport (OAuth2)
├── No → Mobile app?
│ ├── Yes → Sanctum API tokens
│ └── No → SPA on same domain?
│ ├── Yes → Sanctum SPA auth (cookies)
│ └── No → Sanctum API tokens
| Concept | Description | Reference |
|---|---|---|
| Guards | Define HOW users authenticate (session, token) | authentication.md |
| Providers | Define WHERE users are retrieved from (database) | authentication.md |
| Gates | Closure-based authorization for simple checks | authorization.md |
| Policies | Class-based authorization tied to models | authorization.md |
| Abilities | Token permissions (Sanctum/Passport scopes) | sanctum.md |
| Topic | Reference | When to Consult |
|---|---|---|
| Authentication | authentication.md | Guards, providers, login flow |
| Authorization | authorization.md | Gates vs policies, access control |
| Sanctum | sanctum.md | API tokens, SPA authentication |
| Passport | passport.md | OAuth2 server, third-party access |
| Fortify | fortify.md | Headless auth, 2FA |
| Socialite | socialite.md | Social login providers |
| Starter Kits | starter-kits.md | Auth scaffolding |
| Email Verification | verification.md | MustVerifyEmail, verified middleware |
| Password Reset | passwords.md | Forgot password flow |
| Session | session.md | Session drivers, flash data |
| CSRF | csrf.md | Form protection, AJAX tokens |
| Encryption | encryption.md | Data encryption (not passwords) |
| Hashing | hashing.md | Password hashing |
| Template | When to Use |
|---|---|
| LoginController.php.md | Manual authentication controllers |
| GatesAndPolicies.php.md | Gates and policy examples |
| PostPolicy.php.md | Complete policy class with before filter |
| sanctum-setup.md | Sanctum configuration + testing |
| PassportSetup.php.md | OAuth2 server setup |
| FortifySetup.php.md | Fortify configuration + 2FA |
| SocialiteController.php.md | Social login + testing |
| PasswordResetController.php.md | Password reset flow |
verified middleware for sensitive actions