Every public webhook is an open door — until you lock it with Sanctum
Every e-commerce integration — LiqPay callbacks, Nova Poshta tracking, Monobank webhooks — crosses a public HTTP endpoint. Without proper authentication, those endpoints are open to spoofing, replay attacks, and data leaks. Laravel Sanctum closes that gap in under a day of engineering work, and the result is measurable: authenticated API traffic only, verified token ownership, and audit-ready logs for every integration call.
What Sanctum does — and what it costs your stack
Sanctum is a first-party Laravel package that issues lightweight API tokens stored in the personal_access_tokens table. Each token carries a set of abilities — liqpay:webhook, nova-poshta:track, orders:read — so you grant the minimum required scope per integration. Token validation adds roughly 0.2 ms per request; there is no JWT decode overhead or external OAuth server to maintain.
For SPAs (React, Vue, or Nuxt storefronts served from the same domain), Sanctum also handles cookie-based session authentication transparently. You get stateful auth for your admin panel and stateless token auth for external integrations from a single package.
A real integration flow with LiqPay
When LiqPay posts a payment callback to your endpoint, the request carries a signature — but your endpoint still needs to verify the calling service has permission to write to your orders table. With Sanctum:
- Generate a dedicated token:
$token = $user->createToken('liqpay-webhook', ['payments:write']); - Store the token hash in your
.env— never in version control. - Protect the route:
Route::post('/webhooks/liqpay', LiqPayController::class)->middleware('auth:sanctum');
A forged request without the valid token header returns 401 before your controller even runs. You log the attempt; LiqPay's real request proceeds to update the order.
Nova Poshta and Ukrposhta tracking — same pattern
Both delivery APIs send webhook status updates. Register a scoped token per service — nova-poshta:write, ukrposhta:write — and revoke individual tokens if a credential rotates. Every revocation is a single database row delete; no key infrastructure rebuild required.
Multi-tenancy benefit
If you serve multiple merchants on one Laravel platform, Sanctum's token ability system maps cleanly to per-merchant scopes. Merchant A's token cannot read Merchant B's orders, because the ability check fails before the Eloquent query runs. This is the correct architecture for Laravel-based SaaS or OpenCart multi-store platforms.
What you should benchmark before go-live
- Token validation latency under load — run a load test against your staging API before deploying to production.
- Token count growth — schedule a weekly cleanup job to prune expired tokens from
personal_access_tokens. - Ability granularity — err toward narrow abilities now; broadening later is a one-line change.
Shipping it
A Sanctum integration on an existing Laravel project takes four to eight hours: package install, migration, token issuance logic, route middleware, and integration tests. MaxiMoruM deploys this as part of every new e-commerce project that connects Ukrainian payment or delivery APIs — and retrofits it to legacy systems on request.
If your current integration endpoints run without token authentication, you are one leaked credential away from fraudulent orders or corrupted inventory data.
→ Audit your API security with MaxiMoruM: maximorum.com