English Português
Demo ao Vivo
Começar Agora
English Português
Demo ao Vivo Começar Agora

Authentication Overview

SaasKitFy provides a complete, production-ready authentication system built on Laravel Sanctum. All auth methods issue Sanctum API tokens, giving you a unified session model regardless of how the user signs in.

Supported Authentication Methods

  • Email & Password — Traditional registration and login with email verification, password reset, and account lockout
  • Magic Link — Passwordless login via single-use email links with 15-minute expiry
  • OAuth — Social login with Google, GitHub, Microsoft, and Apple via Laravel Socialite
  • Multi-Factor Authentication (MFA) — TOTP-based second factor (Google Authenticator compatible) with recovery codes
  • SAML SSO — Enterprise single sign-on with global or per-organization IdP configuration and domain routing

Architecture

All authentication controllers live in app/Http/Controllers/Auth/. The system is modular — each method is handled by its own controller and can be independently enabled or disabled from the admin panel.

app/Http/Controllers/Auth/
├── LoginController.php
├── RegisterController.php
├── ForgotPasswordController.php
├── ResetPasswordController.php
├── VerifyEmailController.php
├── MagicLinkController.php
├── OAuthController.php
├── MfaController.php
├── SamlController.php
├── SessionController.php
└── PersonalTokenController.php

Sanctum Tokens

Every auth method ultimately issues a Sanctum personal access token. This means your frontend and API consumers use the same Authorization: Bearer {token} header regardless of whether the user logged in with a password, magic link, or SSO.

{
    "token": "1|abc123def456...",
    "user": {
        "id": 1,
        "name": "John Doe",
        "email": "john@example.com"
    }
}

Rate Limiting

All auth endpoints are rate-limited to prevent brute-force attacks:

  • Login: 5 attempts per minute per email
  • Registration: 3 attempts per minute per IP
  • Password reset: 5 requests per minute per email
  • Magic link: 5 requests per minute per email
  • MFA verification: 5 attempts per minute per token

Account Lockout

After 5 consecutive failed login attempts, the account is locked for 15 minutes. The failed_login_attempts and locked_until fields on the User model track lockout state. Failed attempts are reset on successful login.

Admin-Toggleable Providers

Every authentication method can be enabled or disabled from the admin panel without touching code. These are stored as application settings:

  • auth.password_login — Enable/disable email & password login
  • auth.magic_link — Enable/disable magic link login
  • auth.oauth.google — Enable/disable Google OAuth
  • auth.oauth.github — Enable/disable GitHub OAuth
  • auth.oauth.microsoft — Enable/disable Microsoft OAuth
  • auth.oauth.apple — Enable/disable Apple OAuth
  • auth.mfa — Enable/disable MFA globally
  • sso.mode — Set to disabled, per_org, or global

When a method is disabled, its routes return 403 Forbidden and the frontend hides the corresponding UI.

Session Management

Users can view all active sessions (with IP address and user agent), revoke individual sessions, or revoke all sessions at once. Organization admins can also view and revoke sessions for their members. See the Sessions documentation for details.

Previous Naming Conventions Next Email & Password