How do I replace Laravel’s Auth::attempt() with Symfony Security Core?

Symfony Security Core doesn’t directly replace `Auth::attempt()`. Instead, create a custom `AuthenticationProvider` and use the `AuthenticationManager` to handle token generation and authentication. Wrap this in a Laravel service or facade (e.g., `SymfonyAuth::attempt()`) to mimic Laravel’s syntax while leveraging Symfony’s underlying logic.

Can I use Symfony Security Core for JWT authentication in Laravel APIs?

Yes, but you’ll need to implement a custom `BearerToken` and integrate it with Symfony’s `AuthenticationManager`. For stateless APIs, pair it with a `PersistentToken` storage solution (e.g., Redis or DynamoDB) to manage token revocation. Laravel’s Passport or Sanctum can coexist if you use a hybrid approach for authorization.

What’s the performance impact of role hierarchies in high-traffic Laravel apps?

Role hierarchies add minimal overhead (~5–10ms per request) but can compound in nested checks. Benchmark your use case, especially for APIs. For high-traffic apps, cache `AccessDecisionManager` instances or use simpler `RoleVoter` configurations where possible. Symfony’s `RoleHierarchy` is optimized but not as lightweight as Laravel’s `Gate` system.

How do I migrate from Laravel’s Gate/Policy to Symfony’s Voters?

Replace `Gate::forUser()` with Symfony’s `AuthorizationChecker` and create custom `Voter` classes (e.g., `DepartmentVoter` for ABAC). Use `AccessDecisionManager` to combine voters. For incremental migration, keep Laravel’s `Policy` classes for simple checks and offload complex logic to Symfony Voters. Test edge cases like nested roles or dynamic attributes.

Does Symfony Security Core support multi-tenancy in Laravel?

Yes, but you’ll need to configure voters to accept tenant-specific data. Pass tenant IDs via `VoteObject`’s `extraData` or middleware, then use custom voters (e.g., `TenantVoter`) to enforce rules like `user.tenantId === request.tenantId`. Combine with Symfony’s `RoleHierarchy` for tenant-aware role inheritance (e.g., `ROLE_TENANT_ADMIN`).

How do I integrate Symfony Security Core with Laravel’s middleware stack?

Use Symfony’s `AuthenticatorInterface` and wrap it in Laravel middleware (e.g., `HandleAuthenticator`). For example, create a middleware that instantiates a `BearerTokenAuthenticator` and delegates to Symfony’s `AuthenticationManager`. This allows seamless HTTP integration while leveraging Symfony’s stateless/authenticator patterns.

What Laravel versions are compatible with Symfony Security Core?

Symfony Security Core requires PHP 8.4+, which aligns with Laravel 10+. For Laravel 9.x, use Symfony 6.x (PHP 8.1+). Avoid mixing versions—ensure your Laravel app’s dependencies (e.g., `symfony/http-foundation`) match the Security Core version. Check the [Symfony docs](https://symfony.com/doc/current/components/security.html) for version-specific quirks.

How do I handle legacy Laravel auth (e.g., Passport) alongside Symfony Security Core?

Use a hybrid approach: keep Passport for OAuth2/JWT auth and replace Laravel’s `Gate`/`Policy` with Symfony’s `AuthorizationChecker` and `Voter`. For token validation, implement a custom `AuthenticationProvider` that delegates to Passport’s `TokenGuard`. This avoids full migration while adopting Symfony’s authorization features incrementally.

Are there Laravel-specific wrappers or packages to simplify Symfony Security Core integration?

No official Laravel wrappers exist, but you can create custom facades (e.g., `SymfonyAuth`, `SymfonyGate`) to abstract Symfony’s classes. For example, wrap `AccessDecisionManager` in a `SymfonyAuthorization` facade to mimic Laravel’s `Gate` syntax. Community packages like `spatie/laravel-symfony-security` may emerge—check Packagist for updates.

How do I log access decisions for audit compliance (e.g., GDPR/HIPAA)?

Symfony’s `AccessDecisionManager` doesn’t log by default, but you can intercept decisions by extending it or using a custom `Voter` that logs via Laravel’s `Log` facade. For real-time audits, attach a listener to Symfony’s `security.access_decision` event (if available) or wrap `decide()` calls in middleware. Store logs in a structured format (e.g., JSON) for compliance.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Security Core Laravel Package

symfony/security-core

Symfony Security Core provides the core building blocks for authentication and authorization: tokens, voters, role hierarchies, access decision management, and user providers. Use it to implement flexible permission checks and separate security logic from user storage.

View on GitHub

Deep Wiki

Context7

Symfony Security Component - Core Library

Frequently asked questions about Security Core

How do I replace Laravel’s Auth::attempt() with Symfony Security Core?: Symfony Security Core doesn’t directly replace `Auth::attempt()`. Instead, create a custom `AuthenticationProvider` and use the `AuthenticationManager` to handle token generation and authentication. Wrap this in a Laravel service or facade (e.g., `SymfonyAuth::attempt()`) to mimic Laravel’s syntax while leveraging Symfony’s underlying logic.
Can I use Symfony Security Core for JWT authentication in Laravel APIs?: Yes, but you’ll need to implement a custom `BearerToken` and integrate it with Symfony’s `AuthenticationManager`. For stateless APIs, pair it with a `PersistentToken` storage solution (e.g., Redis or DynamoDB) to manage token revocation. Laravel’s Passport or Sanctum can coexist if you use a hybrid approach for authorization.
What’s the performance impact of role hierarchies in high-traffic Laravel apps?: Role hierarchies add minimal overhead (~5–10ms per request) but can compound in nested checks. Benchmark your use case, especially for APIs. For high-traffic apps, cache `AccessDecisionManager` instances or use simpler `RoleVoter` configurations where possible. Symfony’s `RoleHierarchy` is optimized but not as lightweight as Laravel’s `Gate` system.
How do I migrate from Laravel’s Gate/Policy to Symfony’s Voters?: Replace `Gate::forUser()` with Symfony’s `AuthorizationChecker` and create custom `Voter` classes (e.g., `DepartmentVoter` for ABAC). Use `AccessDecisionManager` to combine voters. For incremental migration, keep Laravel’s `Policy` classes for simple checks and offload complex logic to Symfony Voters. Test edge cases like nested roles or dynamic attributes.
Does Symfony Security Core support multi-tenancy in Laravel?: Yes, but you’ll need to configure voters to accept tenant-specific data. Pass tenant IDs via `VoteObject`’s `extraData` or middleware, then use custom voters (e.g., `TenantVoter`) to enforce rules like `user.tenantId === request.tenantId`. Combine with Symfony’s `RoleHierarchy` for tenant-aware role inheritance (e.g., `ROLE_TENANT_ADMIN`).
How do I integrate Symfony Security Core with Laravel’s middleware stack?: Use Symfony’s `AuthenticatorInterface` and wrap it in Laravel middleware (e.g., `HandleAuthenticator`). For example, create a middleware that instantiates a `BearerTokenAuthenticator` and delegates to Symfony’s `AuthenticationManager`. This allows seamless HTTP integration while leveraging Symfony’s stateless/authenticator patterns.
What Laravel versions are compatible with Symfony Security Core?: Symfony Security Core requires PHP 8.4+, which aligns with Laravel 10+. For Laravel 9.x, use Symfony 6.x (PHP 8.1+). Avoid mixing versions—ensure your Laravel app’s dependencies (e.g., `symfony/http-foundation`) match the Security Core version. Check the [Symfony docs](https://symfony.com/doc/current/components/security.html) for version-specific quirks.
How do I handle legacy Laravel auth (e.g., Passport) alongside Symfony Security Core?: Use a hybrid approach: keep Passport for OAuth2/JWT auth and replace Laravel’s `Gate`/`Policy` with Symfony’s `AuthorizationChecker` and `Voter`. For token validation, implement a custom `AuthenticationProvider` that delegates to Passport’s `TokenGuard`. This avoids full migration while adopting Symfony’s authorization features incrementally.
Are there Laravel-specific wrappers or packages to simplify Symfony Security Core integration?: No official Laravel wrappers exist, but you can create custom facades (e.g., `SymfonyAuth`, `SymfonyGate`) to abstract Symfony’s classes. For example, wrap `AccessDecisionManager` in a `SymfonyAuthorization` facade to mimic Laravel’s `Gate` syntax. Community packages like `spatie/laravel-symfony-security` may emerge—check Packagist for updates.
How do I log access decisions for audit compliance (e.g., GDPR/HIPAA)?: Symfony’s `AccessDecisionManager` doesn’t log by default, but you can intercept decisions by extending it or using a custom `Voter` that logs via Laravel’s `Log` facade. For real-time audits, attach a listener to Symfony’s `security.access_decision` event (if available) or wrap `decide()` calls in middleware. Store logs in a structured format (e.g., JSON) for compliance.

Popularity trends

Recorded values over time (once-a-day snapshots). May 7, 2026 – Jun 5, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

1,888

Favorites

1,894

Forks

Score

43.8

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 1888

+9.4
Forks

input: 30

+0.9
Open issues + PRs

input: 0

+0.0
Releases

input: 45

+13.5
Recency

input: 9

+19.5
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 43.3

Opportunity

54.6

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

84.0
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×1.00

Total 54.4

License

MIT

Last release

May 27, 2026

Watchers

Downloads

4M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai