Airlock Laravel Package

Product Decisions This Supports

• Build vs. Buy: Accelerates development by eliminating the need to build a custom token-based authentication system for SPAs (Single-Page Applications) or lightweight APIs. Reduces technical debt and maintenance overhead.
• Feature Roadmap:
  • API-First Strategy: Enables rapid iteration for mobile/web apps consuming Laravel APIs without requiring OAuth2 complexity.
  • Multi-Tenancy: Supports token-based auth for SaaS platforms with per-tenant API access.
  • Security Compliance: Simplifies adherence to token expiration, revocation, and CSRF protection standards.
  • Progressive Enhancement: Allows gradual migration from session-based to token-based auth.
• Use Cases:
  • Internal Tools: Secure admin dashboards or CLI tools interacting with APIs.
  • IoT/Embedded Systems: Lightweight auth for device-to-server communication.
  • Legacy System Integration: Modernize auth for older systems without full OAuth2 overhead.

When to Consider This Package

Adopt when:

• Your project requires stateless token authentication for SPAs, mobile apps, or simple APIs.
• You’re using Laravel and need a lightweight alternative to Passport (OAuth2).
• Your API clients are trusted (e.g., internal tools, known domains) and don’t need OAuth2’s granular scopes/flows.
• You prioritize simplicity over advanced features like refresh tokens or PKCE.
• Your team lacks OAuth2 expertise but needs secure API access.

Look elsewhere when:

• You need OAuth2 features (e.g., third-party auth, scopes, PKCE, or complex token flows).
• Your API requires high scalability (Sanctum’s tokens are stored in the database, unlike Passport’s revocable tokens).
• You’re building a public API with unknown clients (use Passport or a dedicated auth service).
• Your use case demands JWT (Sanctum uses short-lived tokens, not JWTs by default).
• You need fine-grained token permissions (Sanctum uses scopes but lacks Passport’s policy integration).

How to Pitch It (Stakeholders)

For Executives: "Laravel Sanctum lets us ship secure API access for our [SPA/mobile/internal tools] 3–5x faster than building from scratch or using OAuth2. It’s the ‘Swiss Army knife’ for token-based auth: lightweight, battle-tested, and maintained by Laravel’s core team. By adopting Sanctum, we avoid vendor lock-in (MIT license), reduce dev costs, and future-proof our auth layer for [upcoming SaaS/multi-tenant] features. The risk? Minimal—it’s used by thousands of projects, and we can always upgrade to Passport later if needed."

For Engineering: *"Sanctum gives us a drop-in solution for API auth with:

• Zero OAuth2 complexity: No need to manage clients, secrets, or PKCE.
• SPA-friendly: Stateless tokens + CSRF protection out of the box.
• Laravel-native: Integrates seamlessly with Eloquent, middleware, and Laravel’s auth system.
• Performance: Optimized for simple APIs (e.g., internal tools, IoT). Trade-offs:
• Not for public APIs (use Passport).
• Tokens are revoked via DB (not as scalable as Passport’s revocable tokens). Proposal: Use Sanctum for [X project], with a clear upgrade path to Passport if we later need OAuth2. Estimated dev time saved: [X] weeks."*

For Developers: *"Sanctum lets you add API auth in minutes:

// Generate a token for a user
$user->createToken('api-token')->plainTextToken;

// Protect a route
Route::middleware('auth:sanctum')->get('/data', ...);

Why not Passport?

• Sanctum is simpler (no OAuth2 boilerplate).
• No database bloat: Passport adds oauth_clients, oauth_scopes, etc.; Sanctum only needs personal_access_tokens. Gotchas:
• Tokens expire by default (configurable).
• No built-in refresh tokens (but you can add them). Docs: Laravel Sanctum Guide."*