How to Add Authentication to a Laravel App (2026 Guide)
Complete guide to Laravel auth. Covers Breeze, Fortify, Sanctum, Jetstream, and managed providers for PHP web apps.
Laravel is the dominant PHP framework, holding a 60% market share among PHP frameworks and powering more than 1.5 million websites worldwide. According to JetBrains’ surveys, 61% of PHP developers use Laravel regularly. One reason for this dominance: Laravel ships with more auth options than any other framework.
The challenge is not whether Laravel can handle auth — it is choosing the right package from Laravel’s own ecosystem. This guide covers every practical approach to laravel auth in 2026.
Laravel’s Auth Ecosystem Explained
Laravel offers four official auth packages, and understanding how they relate to each other is the first step:
- Laravel Breeze — Minimal auth scaffolding with Blade/Tailwind UI. Includes login, registration, password reset, and email verification. Uses Fortify under the hood.
- Laravel Fortify — Headless authentication backend. Handles all auth logic (registration, login, 2FA, password reset) but generates no UI. You build the frontend yourself.
- Laravel Sanctum — SPA and API token authentication. Cookie-based sessions for same-domain SPAs, API tokens for mobile apps. Does not handle OAuth.
- Laravel Jetstream — Full-featured starter kit. Includes everything in Breeze plus team management, API tokens via Sanctum, two-factor authentication, and profile management. Available with Livewire or Inertia.js frontends.
These packages are not competitors — they are layers. Breeze uses Fortify. Jetstream uses both Fortify and Sanctum. You pick the level of abstraction that matches your project.
Common Laravel Auth Approaches Compared
Laravel Breeze
Breeze is the fastest way to add auth to a new Laravel project. One Artisan command generates login, registration, password reset, email verification, and profile editing views with Tailwind CSS.
What works well:
- Setup in under 30 minutes with
composer require laravel/breeze - Clean, readable code that follows Laravel conventions
- Blade, React, Vue, and API-only stacks available
- Good starting point for MVPs and consumer apps
Where it falls apart:
- No team management or organization support
- No built-in 2FA
- No social login without additional packages
- Limited to basic auth features
Laravel Fortify
Fortify is a frontend-agnostic auth backend. It handles registration, login, two-factor authentication, email verification, and password confirmation without generating any views.
What works well:
- Complete auth backend with no UI opinions
- 2FA support with TOTP (authenticator apps)
- Authentication response times of roughly 120ms vs 200ms with full-stack solutions
- Works with any frontend (Vue, React, mobile, Blade)
Where it falls apart:
- You build every view and form yourself
- More initial work than Breeze for standard web apps
- Documentation assumes familiarity with Laravel’s auth contracts
- Testing requires mocking the full auth flow
Laravel Sanctum
Sanctum provides two features: cookie-based session auth for first-party SPAs and API token authentication for mobile apps.
What works well:
- Cookie-based SPA auth with same-domain CSRF protection
- Simple API tokens for mobile apps
- No OAuth complexity for first-party clients
- Lightweight — minimal overhead per request
Where it falls apart:
- Only for first-party apps. Third-party OAuth requires Laravel Passport
- SPA must be on the same top-level domain
- No built-in token refresh mechanism
- Does not handle user registration or login — pair with Fortify or Breeze
Laravel Jetstream
Jetstream is the full-featured option. Built on Fortify and Sanctum, it adds team management, API tokens, profile photos, two-factor authentication, and browser session management.
What works well:
- Team/organization management out of the box
- 2FA with recovery codes
- Browser session management (view and revoke active sessions)
- Available with Livewire or Inertia.js (Vue/React)
Where it falls apart:
- Heavy for simple projects
- Opinionated about frontend stack (Livewire or Inertia)
- Customizing generated views requires understanding Jetstream’s structure
- Slower auth response times than standalone Fortify
Socialite
Laravel Socialite handles OAuth authentication with social providers. It supports Google, Facebook, Twitter, LinkedIn, GitHub, GitLab, and Bitbucket, with community packages for dozens more.
What works well:
- Clean API for OAuth flows
- Official support for major providers
- Community packages extend to 100+ providers
- Works alongside Breeze, Fortify, or Jetstream
Where it falls apart:
- Only handles the OAuth flow — you manage users and sessions yourself
- No account linking or merging built in
- Each provider requires separate configuration
- Testing OAuth flows requires mock servers
The Real Problem: Auth Is Only Half the Battle
Laravel’s auth ecosystem is comprehensive. But authentication does not generate revenue. If you are building a SaaS, you still need Stripe for payments, subscription management, webhooks, and a billing portal.
Laravel Cashier handles Stripe subscriptions, but that is another package to configure, another set of migrations, and another layer of user-to-customer mapping to maintain.
How Beag Simplifies Laravel Auth and Payments
Beag combines auth and payments into a single script tag. Instead of configuring Breeze for auth and Cashier for payments separately, you add the Beag script tag to your Blade layout and get:
- Authentication with email, social login, and magic links
- Stripe payments with checkout, subscriptions, and customer portal
- User-to-customer mapping handled automatically
- Session data accessible from your controllers
For solo developers and indie hackers, this eliminates the most time-consuming parts of launching a SaaS. See our guide on monetizing side projects for more strategies.
Choosing the Right Approach
| Solution | Cost | Setup Time | Auth + Payments |
|---|---|---|---|
| Laravel Breeze | Free | 30 minutes | Auth only |
| Fortify + Sanctum | Free | 3-6 hours | Auth only |
| Jetstream | Free | 1-2 hours | Auth only |
| Breeze + Cashier | Free | 1-2 days | Both (separate) |
| Beag | $19/month | 15 minutes | Both included |
For other backend frameworks, see our Django auth guide or Rails auth guide. Browse all guides in the guide hub.
What to Do Next
- Start with Breeze for most new Laravel projects.
- Add Jetstream if you need teams, 2FA, or session management.
- Use Sanctum for SPA or mobile API authentication.
- Ship faster. Try Beag free for 7 days or explore the docs.
Frequently Asked Questions
What is the difference between Laravel Breeze, Fortify, Sanctum, and Jetstream?
Breeze is a minimal auth scaffolding with Tailwind CSS UI. Fortify is a headless auth backend with no UI. Sanctum handles SPA and API token authentication. Jetstream is a full-featured starter kit with team management and 2FA. Breeze and Fortify are not competing -- Breeze uses Fortify under the hood. Sanctum and Fortify can work together.
Which Laravel auth package should I use for a new project?
For a traditional web app or MVP, start with Laravel Breeze. It gives you login, registration, password reset, and email verification with minimal code. For SPAs with Vue or React frontends, use Sanctum for API token auth. For apps needing teams, billing, and 2FA, use Jetstream.
Is Laravel Sanctum good for SPAs?
Yes, Sanctum is designed specifically for first-party SPAs. It uses cookie-based session authentication for same-domain SPAs and API tokens for mobile apps. It does not handle OAuth or third-party API access -- use Laravel Passport for that.
How fast is Laravel Fortify compared to Jetstream?
Apps using Fortify show authentication response times of roughly 120ms compared to approximately 200ms with full-stack auth solutions like Jetstream. Fortify is 15% faster because it skips the UI rendering overhead. This matters for API-driven projects where auth performance affects every request.
How long does it take to add auth to a Laravel app?
Laravel Breeze takes about 30 minutes to set up with a working login, registration, and password reset UI. Jetstream with team management takes 1-2 hours. Custom Fortify + Sanctum setup takes 3-6 hours. If you need auth and payments together, Beag handles both in about 15 minutes.
Skip the Auth and Payments Headaches
Beag handles authentication and Stripe payments with a single script tag. Ship your SaaS faster.
Start 7-day free trial