The Stateless Trap
If you search for "How to authenticate a Flutter app," 90% of tutorials will tell you to use JSON Web Tokens (JWT). The pitch sounds great: JWTs are stateless. The server doesn't need to query the database to verify the user; it just mathematically decodes the token. It saves database calls!
But in the real world of mobile application development, "stateless" is actually a massive security vulnerability.
The Problem with Revocation
Imagine your user loses their smartphone. They log into your web dashboard from a friend's computer and click "Log out of all devices."
If you are using JWTs, you cannot log them out. Because JWTs are stateless, the server has no record of the token to delete. Until that JWT's built-in expiration time runs out (which could be hours or days), whoever stole that phone has full access to your API. To "fix" this, developers build complex token blocklists in Redis, which completely defeats the entire purpose of being stateless in the first place.
The Sanctum Solution
For mobile applications communicating with a Laravel backend, we strictly use Laravel Sanctum with stateful API tokens.
When a user logs in via Flutter, Laravel generates a cryptographically secure random string, hashes it, and stores it in the personal_access_tokens database table. The Flutter app stores the plain-text token securely using flutter_secure_storage.
// Laravel: Issuing a secure, stateful token
$token = $user->createToken('iphone_15_pro')->plainTextToken;
return response()->json(['token' => $token]);
Why This Architecture Wins
Because the token is stateful (stored in the database), you have absolute control. If a device is compromised, you simply delete the row from the database.
// Laravel: Instant, guaranteed device revocation
$user->tokens()->where('name', 'iphone_15_pro')->delete();
The very next time the stolen phone makes an API request, Sanctum checks the database, sees the token is gone, and instantly returns a 401 Unauthorized. The app is locked down.
Conclusion
Database queries are cheap. User security is priceless. Stop using stateless JWTs for mobile authentication and let Laravel Sanctum handle your tokens securely.