Laravel Sanctum

Note: The sanctum auth guard can't be used with user impersonation because user impersonation supports stateful guards only.

Laravel Sanctum works with Tenancy out of the box, with the exception of the sanctum.csrf-cookie route. You can make some small changes to make the route work.

Making the csrf-cookie route work in the tenant app

To make the sanctum.csrf-cookie route work in the tenant app, do the following:

1. Add 'routes' => false to the sanctum.php config
2. Publish the Sanctum migrations and move them to migrations/tenant
3. Make Sanctum not use its migrations in the central app by adding Sanctum::ignoreMigrations() to the register() method in your AuthServiceProvider
4. Add the following code to routes/tenant.php to override the original sanctum.csrf-cookie route:

Route::group(['prefix' => config('sanctum.prefix', 'sanctum')], static function () {
    Route::get('/csrf-cookie', [CsrfCookieController::class, 'show'])
        ->middleware([
            'web',
            InitializeTenancyByDomain::class // Use tenancy initialization middleware of your choice
        ])->name('sanctum.csrf-cookie');
});

Making the csrf-cookie route work both in the central and the tenant app

To use the sanctum.csrf-cookie route in both the central and the tenant apps:

1. Follow the steps in the previous section ("Sanctum's csrf-cookie route in the tenant app")
2. Set up universal routes
3. Remove Sanctum::ignoreMigrations() from your AuthServiceProvider's register() method
4. Remove 'routes' => false from the sanctum.php config
5. Add the 'universal' middleware to the sanctum.csrf-cookie route in your routes/tenant.php