diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2b63553..8d3381f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- **Auth Configuration: Set sanctum as default guard** (#134)
+  - Changed default guard from `'web'` to `'sanctum'` in `config/auth.php`
+  - Added explicit `sanctum` guard configuration to guards array
+  - Updated documentation comments to explain API-only, token-based architecture
+  - Aligns configuration with actual authentication mechanism (all routes use `auth:sanctum`)
+  - Self-documenting: Config now clearly shows SecPal is API-only (React PWA frontend)
+  - Consistent with User model `$guard_name = 'sanctum'` property (#129)
+  - No behavior change: All 207 tests passing
+
 ### Fixed
 
 - **Permission System Guard Migration** - Migrated from 'web' to 'sanctum' guard (#126, #127, #128, #129)
diff --git a/config/auth.php b/config/auth.php
index da16316..11edc90 100644
--- a/config/auth.php
+++ b/config/auth.php
@@ -10,14 +10,17 @@
     | Authentication Defaults
     |--------------------------------------------------------------------------
     |
-    | This option defines the default authentication "guard" and password
-    | reset "broker" for your application. You may change these values
-    | as required, but they're a perfect start for most applications.
+    | SecPal is an API-only application (React PWA frontend) using stateless
+    | token-based authentication via Laravel Sanctum. The default guard is
+    | set to 'sanctum' to reflect this architecture.
+    |
+    | The 'web' guard is kept for Laravel's password reset flow (stateless
+    | token-based verification), but is NOT used for actual authentication.
     |
     */
 
     'defaults' => [
-        'guard' => env('AUTH_GUARD', 'web'),
+        'guard' => env('AUTH_GUARD', 'sanctum'),
         'passwords' => env('AUTH_PASSWORD_BROKER', 'users'),
     ],
 
@@ -26,15 +29,13 @@
     | Authentication Guards
     |--------------------------------------------------------------------------
     |
-    | Next, you may define every authentication guard for your application.
-    | Of course, a great default configuration has been defined for you
-    | which utilizes session storage plus the Eloquent user provider.
+    | SecPal uses Laravel Sanctum for API token authentication. All API routes
+    | are protected with the 'sanctum' guard (stateless Bearer tokens).
     |
-    | All authentication guards have a user provider, which defines how the
-    | users are actually retrieved out of your database or other storage
-    | system used by the application. Typically, Eloquent is utilized.
+    | The 'web' guard remains configured for Laravel's password reset email
+    | verification flow only. It is NOT used for actual user authentication.
     |
-    | Supported: "session"
+    | Supported drivers: "session", "sanctum"
     |
     */
 
@@ -43,6 +44,11 @@
             'driver' => 'session',
             'provider' => 'users',
         ],
+
+        'sanctum' => [
+            'driver' => 'sanctum',
+            'provider' => 'users',
+        ],
     ],
 
     /*