How do I install Laravel Fortify in a Laravel 11 project?

Run `composer require laravel/fortify` and publish the config with `php artisan vendor:publish --provider="Laravel\Fortify\FortifyServiceProvider"`. Then, add the middleware to your routes and run `php artisan fortify:install` to set up the default scaffolding. Fortify works with Laravel 10+ and PHP 8.1+.

Can Fortify be used with a Vue.js or React SPA instead of Blade?

Yes, Fortify is frontend-agnostic. For SPAs, pair it with Laravel Sanctum for API token authentication. Configure Sanctum’s middleware in `app/Http/Kernel.php` and ensure your frontend sends the Sanctum CSRF token. Fortify’s controllers will handle the backend logic seamlessly.

Does Fortify support two-factor authentication (2FA) out of the box?

Fortify includes 2FA support using TOTP (Time-based One-Time Password). Install the `pragmarx/google2fa` package and configure it in `config/fortify.php`. For SPAs, ensure Sanctum/Passport is set up to handle the 2FA state. Recovery codes are generated automatically during setup.

How do I customize the user model or authentication logic in Fortify?

Fortify uses Laravel’s built-in `Authenticatable` trait and `MustVerifyEmail` for email verification. To customize, extend the `FortifyServiceProvider` or override the default policies in `app/Policies/UserPolicy.php`. You can also bind custom guards by modifying the `boot()` method in the service provider.

Is Laravel Fortify compatible with Laravel Passport for OAuth2?

Fortify itself doesn’t include OAuth2, but you can integrate it with Passport for token-based authentication. Use Passport’s `TokenGuard` alongside Fortify’s controllers. Configure Passport’s routes and middleware separately, and ensure your frontend handles OAuth2 flows (e.g., authorization codes).

What’s the best way to test Fortify’s authentication in PHPUnit?

Fortify provides a `fake()` method for testing: `Fortify::fake()`. Use it to simulate logins, registrations, or password resets. For example, `Fortify::fake()->login()` will auto-verify the user. Combine it with Laravel’s `actingAs()` for session-based tests or Sanctum’s `actingAs()` for API tests.

Can I use Fortify with a multi-tenant application?

Fortify doesn’t natively support multi-tenancy, but you can extend it by creating tenant-aware guards or middleware. Override the `UserProvider` to scope queries by tenant ID, and modify Fortify’s policies to enforce tenant-specific rules. Ensure your user model includes a `tenant_id` field and update the `boot()` method in `FortifyServiceProvider`.

What are the performance implications of using Fortify in production?

Fortify adds minimal overhead. For high-traffic apps, enable Laravel’s queue system for email verification/password resets (configured in `config/fortify.php`). Rate-limiting is built-in for login attempts, and you can further optimize by caching user sessions or using Redis for session storage.

How do I migrate from Laravel’s built-in auth (e.g., Laravel 8’s auth scaffolding) to Fortify?

Replace the old `Auth` controllers with Fortify’s routes and middleware. Run `php artisan fortify:install` to generate the new scaffolding, then update your `routes/web.php` to use Fortify’s middleware (e.g., `CreateableMiddleware`, `VerifiableMiddleware`). Migrate any custom logic to Fortify’s policies or service provider.

Are there alternatives to Fortify for Laravel authentication?

Yes, alternatives include Laravel Breeze (simpler, includes Blade scaffolding), Jetstream (feature-rich with teams/invites), or third-party packages like Laravel Sanctum (API-only) or Passport (OAuth2). Fortify is ideal if you need a lightweight, modular backend without frontend opinions, while Breeze/Jetstream offer more pre-built UI components.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Fortify Laravel Package

laravel/fortify

Laravel Fortify is a frontend-agnostic authentication backend for Laravel. It provides the core endpoints and logic for registration, login, password reset, email verification, and two-factor authentication used by Laravel starter kits.

View on GitHub

Deep Wiki

Context7

Laravel Fortify is a frontend-agnostic authentication backend for Laravel, providing the server-side endpoints and logic needed for common auth flows. It powers the registration, login, and two-factor authentication capabilities used by Laravel Starter Kits, while letting you bring your own UI.

Designed to integrate cleanly with Laravel apps, Fortify focuses on secure, configurable authentication features without prescribing a frontend stack.

User registration and account creation workflows
Authentication / login endpoints and session handling
Two-factor authentication (2FA) support
Starter Kit–ready foundation for auth features
Frontend-agnostic: works with any UI or SPA approach

Frequently asked questions about Fortify

How do I install Laravel Fortify in a Laravel 11 project?: Run `composer require laravel/fortify` and publish the config with `php artisan vendor:publish --provider="Laravel\Fortify\FortifyServiceProvider"`. Then, add the middleware to your routes and run `php artisan fortify:install` to set up the default scaffolding. Fortify works with Laravel 10+ and PHP 8.1+.
Can Fortify be used with a Vue.js or React SPA instead of Blade?: Yes, Fortify is frontend-agnostic. For SPAs, pair it with Laravel Sanctum for API token authentication. Configure Sanctum’s middleware in `app/Http/Kernel.php` and ensure your frontend sends the Sanctum CSRF token. Fortify’s controllers will handle the backend logic seamlessly.
Does Fortify support two-factor authentication (2FA) out of the box?: Fortify includes 2FA support using TOTP (Time-based One-Time Password). Install the `pragmarx/google2fa` package and configure it in `config/fortify.php`. For SPAs, ensure Sanctum/Passport is set up to handle the 2FA state. Recovery codes are generated automatically during setup.
How do I customize the user model or authentication logic in Fortify?: Fortify uses Laravel’s built-in `Authenticatable` trait and `MustVerifyEmail` for email verification. To customize, extend the `FortifyServiceProvider` or override the default policies in `app/Policies/UserPolicy.php`. You can also bind custom guards by modifying the `boot()` method in the service provider.
Is Laravel Fortify compatible with Laravel Passport for OAuth2?: Fortify itself doesn’t include OAuth2, but you can integrate it with Passport for token-based authentication. Use Passport’s `TokenGuard` alongside Fortify’s controllers. Configure Passport’s routes and middleware separately, and ensure your frontend handles OAuth2 flows (e.g., authorization codes).
What’s the best way to test Fortify’s authentication in PHPUnit?: Fortify provides a `fake()` method for testing: `Fortify::fake()`. Use it to simulate logins, registrations, or password resets. For example, `Fortify::fake()->login()` will auto-verify the user. Combine it with Laravel’s `actingAs()` for session-based tests or Sanctum’s `actingAs()` for API tests.
Can I use Fortify with a multi-tenant application?: Fortify doesn’t natively support multi-tenancy, but you can extend it by creating tenant-aware guards or middleware. Override the `UserProvider` to scope queries by tenant ID, and modify Fortify’s policies to enforce tenant-specific rules. Ensure your user model includes a `tenant_id` field and update the `boot()` method in `FortifyServiceProvider`.
What are the performance implications of using Fortify in production?: Fortify adds minimal overhead. For high-traffic apps, enable Laravel’s queue system for email verification/password resets (configured in `config/fortify.php`). Rate-limiting is built-in for login attempts, and you can further optimize by caching user sessions or using Redis for session storage.
How do I migrate from Laravel’s built-in auth (e.g., Laravel 8’s auth scaffolding) to Fortify?: Replace the old `Auth` controllers with Fortify’s routes and middleware. Run `php artisan fortify:install` to generate the new scaffolding, then update your `routes/web.php` to use Fortify’s middleware (e.g., `CreateableMiddleware`, `VerifiableMiddleware`). Migrate any custom logic to Fortify’s policies or service provider.
Are there alternatives to Fortify for Laravel authentication?: Yes, alternatives include Laravel Breeze (simpler, includes Blade scaffolding), Jetstream (feature-rich with teams/invites), or third-party packages like Laravel Sanctum (API-only) or Passport (OAuth2). Fortify is ideal if you need a lightweight, modular backend without frontend opinions, while Breeze/Jetstream offer more pre-built UI components.

View on GitHub

Stars

1,727

Favorites

1,735

Forks

331

Score

49.3

License

MIT

Last release

Mar 24, 2026

Watchers

Downloads

3M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport