A comprehensive, production-ready authentication package for Laravel 12. AuthKin combines the power of Laravel Fortify, Sanctum, Spatie Laravel Permission, and Spatie Laravel Passkeys to provide a full-featured auth system with:
- 🔐 Standard Authentication - Powered by Laravel Fortify
- 👥 Role-Based Access Control (RBAC) - Using Spatie Laravel Permission
- 📱 TOTP Two-Factor Authentication - Google Authenticator, Authy, etc.
- 🔑 Passkey Authentication - Modern WebAuthn/FIDO2 login
- 🛡️ Passkey as 2FA - Use passkeys as a second factor
- 🎨 Framework-Agnostic Blade Components - Beautiful, customizable UI partials
- 🌐 API Support - Full Sanctum integration for API authentication
- 🏢 Multi-Tenancy Ready - Optional tenant scoping
- PHP 8.2+
- Laravel 12.0+
- MySQL 5.7+ / PostgreSQL 9.6+ / SQLite 3.8.8+
composer require bspdx/authkit# Publish configuration
php artisan vendor:publish --tag=authkit-config
# Publish migrations
php artisan vendor:publish --tag=authkit-migrations
# Publish Blade views (optional - only if you want to customize)
php artisan vendor:publish --tag=authkit-views
# Publish example routes
php artisan vendor:publish --tag=authkit-routes
# Publish database seeders
php artisan vendor:publish --tag=authkit-seedersphp artisan migrateThis will create tables for:
- Two-factor authentication columns in
userstable - Roles and permissions (Spatie)
- Passkeys (Spatie)
- Personal access tokens (Sanctum)
php artisan db:seed --class=AuthKitSeederThis creates:
- 4 default roles:
super-admin,admin,editor,user - Common permissions for each role
- 4 demo users (all with password:
password)superadmin@example.com- Super Adminadmin@example.com- Admineditor@example.com- Editoruser@example.com- Regular User
In your config/fortify.php, ensure these features are enabled:
'features' => [
Features::registration(),
Features::resetPasswords(),
Features::emailVerification(),
Features::updateProfileInformation(),
Features::updatePasswords(),
Features::twoFactorAuthentication([
'confirm' => true,
'confirmPassword' => true,
]),
],The package configuration is located at config/authkit.php. Key settings:
'features' => [
'registration' => true,
'email_verification' => true,
'two_factor' => true,
'passkeys' => true,
'passkey_2fa' => true,
'api_tokens' => true,
],'rbac' => [
'multi_tenant' => false,
'default_role' => 'user',
'super_admin_role' => 'super-admin',
],'passkey' => [
'rp_name' => env('APP_NAME', 'Laravel'),
'rp_id' => env('PASSKEY_RP_ID', 'localhost'),
'user_verification' => 'preferred',
'allow_multiple' => true,
'required_for_roles' => [
// 'admin',
],
],'two_factor' => [
'qr_code_size' => 200,
'recovery_codes_count' => 8,
'required_for_roles' => [
// 'admin',
],
],Add the HasAuthKit trait to your User model:
<?php
namespace App\Models;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Bspdx\AuthKit\Traits\HasAuthKit;
class User extends Authenticatable
{
use Notifiable, HasAuthKit;
// ... rest of your model
}This trait combines:
HasApiTokens(Sanctum)TwoFactorAuthenticatable(Fortify)HasRoles(Spatie Permission)HasPasskeys(Spatie Passkeys)
AuthKit provides framework-agnostic Blade components you can drop anywhere:
<x-authkit::login-form
:show-passkey-option="true"
:show-remember-me="true"
:show-register-link="true"
:show-forgot-password="true"
/><x-authkit::register-form
:show-login-link="true"
:required-fields="['name', 'email', 'password', 'password_confirmation']"
/><x-authkit::two-factor-challenge
:show-recovery-code-option="true"
/><x-authkit::passkey-register /><x-authkit::passkey-login />AuthKit doesn't auto-register routes. Add them manually from the published examples:
Web Routes (routes/authkit-web.php):
// Include in your routes/web.php
require __DIR__.'/authkit-web.php';API Routes (routes/authkit-api.php):
// Include in your routes/api.php
require __DIR__.'/authkit-api.php';AuthKit provides three middleware aliases:
Route::middleware(['auth', 'role:admin'])->group(function () {
// Only users with 'admin' role can access
});
// Multiple roles (OR logic)
Route::middleware(['auth', 'role:admin,editor'])->group(function () {
// Users with 'admin' OR 'editor' role can access
});Route::middleware(['auth', 'permission:edit-posts'])->group(function () {
// Only users with 'edit-posts' permission
});
// Multiple permissions
Route::middleware(['auth', 'permission:edit-posts,publish-posts'])->group(function () {
// Users with either permission can access
});Route::middleware(['auth', '2fa'])->group(function () {
// Ensures users with required roles have 2FA enabled
});// Check role
if (auth()->user()->hasRole('admin')) {
// User is an admin
}
// Check permission
if (auth()->user()->can('edit-posts')) {
// User can edit posts
}
// Check multiple roles
if (auth()->user()->hasAnyRole(['admin', 'editor'])) {
// User has at least one of these roles
}
// Super admin check
if (auth()->user()->isSuperAdmin()) {
// User is super admin (bypasses all permission checks)
}Use Sanctum for API authentication:
// Login endpoint (you need to create this)
Route::post('/login', function (Request $request) {
$credentials = $request->validate([
'email' => 'required|email',
'password' => 'required',
]);
if (!Auth::attempt($credentials)) {
return response()->json(['message' => 'Invalid credentials'], 401);
}
$user = $request->user();
$token = $user->createToken('api-token')->plainTextToken;
return response()->json([
'token' => $token,
'user' => $user,
]);
});All API routes are protected with auth:sanctum middleware. Example requests:
Get All Roles:
curl -X GET http://localhost/api/roles \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Accept: application/json"Assign Role to User:
curl -X POST http://localhost/api/users/1/roles \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"roles": ["admin"]}'Enable 2FA:
curl -X POST http://localhost/api/user/two-factor-authentication \
-H "Authorization: Bearer YOUR_TOKEN"Passkeys require HTTPS! See our detailed guide: HTTPS Setup for Laravel Sail
Quick summary:
-
Install
mkcert:brew install mkcert # macOS mkcert -install -
Generate certificates:
mkdir -p docker/ssl && cd docker/ssl mkcert localhost 127.0.0.1 ::1 mv localhost+2.pem cert.pem mv localhost+2-key.pem key.pem
-
Update
.env:APP_URL=https://localhost SESSION_SECURE_COOKIE=true
-
Configure Nginx/Caddy to use the certificates
See the full guide for detailed instructions.
AuthKit is multi-tenancy ready. To enable:
// config/authkit.php
'multi_tenancy' => [
'enabled' => true,
'tenant_column' => 'tenant_id',
'auto_scope' => true,
],
'rbac' => [
'multi_tenant' => true,
],Use Spatie's multitenancy package or implement your own scoping logic.
Run the package tests:
composer testOr with PHPUnit directly:
./vendor/bin/phpunitPublish the views and modify as needed:
php artisan vendor:publish --tag=authkit-viewsViews will be in resources/views/vendor/authkit/.
All Blade components use CSS custom properties for easy theming:
:root {
--authkit-primary: #4f46e5;
--authkit-primary-hover: #4338ca;
--authkit-danger: #dc2626;
--authkit-text: #1f2937;
--authkit-border: #d1d5db;
--authkit-bg: #ffffff;
--authkit-radius: 0.5rem;
}If you discover any security issues, please email info@bspdx.com instead of using the issue tracker.
- BSPDX
- Built on top of:
The MIT License (MIT). Please see License File for more information.
Here's a complete example to get you started quickly:
composer require bspdx/authkit
php artisan vendor:publish --tag=authkit-config
php artisan vendor:publish --tag=authkit-migrations
php artisan migrate
php artisan db:seed --class=AuthKitSeeder<?php
namespace App\Models;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Bspdx\AuthKit\Traits\HasAuthKit;
class User extends Authenticatable
{
use HasAuthKit;
protected $fillable = ['name', 'email', 'password'];
}<!-- resources/views/auth/login.blade.php -->
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<meta name="csrf-token" content="{{ csrf_token() }}">
</head>
<body>
<x-authkit::login-form />
</body>
</html>// routes/web.php
Route::get('/login', function () {
return view('auth.login');
})->name('login');
// Include AuthKit routes
require __DIR__.'/authkit-web.php';# Start server (with HTTPS for passkeys)
./vendor/bin/sail up
# Visit https://localhost/login
# Use demo credentials: admin@example.com / passwordThat's it! You now have a complete authentication system with 2FA, passkeys, and RBAC.
- Documentation: Full documentation
- Issues: GitHub Issues
- Discussions: GitHub Discussions