Learn how Laravel Sanctum impersonate lets admins act as any user securely. Follow real code examples and steps to switch and end impersonation easily. Our Live Support Team is always here to help you.
Take Control with Laravel Sanctum Impersonate
When you’re managing a large application, there are times you need to see exactly what a user sees. Instead of logging into their account manually, Laravel Sanctum impersonate gives admins a secure way to step into any user’s role with just one click. It’s simple, powerful, and saves hours during debugging or support sessions. Let’s walk through how to build this cleanly with real working code.
An Overview
Creating the Connection Between Users and Tokens
To begin, you’ll need a table that links impersonation tokens to admin users. This setup allows Laravel Sanctum impersonate to track who is impersonating whom.
public function up()
{
Schema::create('impersonations', function (Blueprint $table) {
$table->id();
$table->bigInteger('personal_access_token_id')->unsigned();
$table->bigInteger('user_id')->unsigned();
$table->timestamps();
$table->foreign('personal_access_token_id')->references('id')->on('personal_access_tokens')->cascadeOnDelete();
$table->foreign('user_id')->references('id')->on('users')->cascadeOnDelete();
});
}This migration ensures the impersonation data stays clean and automatically deletes records when users or tokens are removed.
Updating the User Model
Now, let’s define who can impersonate and who can be impersonated. You can adjust these conditions based on your own logic, but here’s a simple admin-based example.
public function canImpersonate()
{
return $this->is_admin;
}
public function canBeImpersonated()
{
return !$this->is_admin;
}
public function isImpersonated() {
$token = $this->currentAccessToken();
return $token->name == 'IMPERSONATION token';
}With these three functions, Laravel Sanctum impersonate can easily decide user roles during the switch process.
Empower Your Admins & Start Impersonating!
Handling Impersonation in the Controller
Next, let’s create the functions that make impersonation work. You can add them inside your AdminController or a dedicated ImpersonationController.
Start Impersonation
When an admin wants to take another user’s role:
public function impersonate($userId)
{
$impersonator = auth()->user();
$persona = User::find($userId);
if (!$persona || !$persona->canBeImpersonated() || !$impersonator->canImpersonate()) {
return false;
}
$personaToken = $persona->createToken('IMPERSONATION token');
$impersonation = new Impersonation();
$impersonation->user_id = $impersonator->id;
$impersonation->personal_access_token_id = $personaToken->accessToken->id;
$impersonation->save();
$impersonator->currentAccessToken()->delete();
$response = [
"requested_id" => $userId,
"persona" => $persona,
"impersonator" => $impersonator,
"token" => $personaToken->plainTextToken
];
return response()->json(['data' => $response], 200);
}This function creates a new token for the impersonated user and removes the admin’s previous token, switching identities instantly.
Leave Impersonation
When it’s time to return to your admin account:
public function leaveImpersonate()
{
$impersonatedUser = auth()->user();
$currentAccessToken = $impersonatedUser->currentAccessToken();
$impersonation = Impersonation::where('personal_access_token_id', $currentAccessToken->id)->first();
$impersonator = User::find($impersonation->user_id);
$impersonatorToken = $impersonator->createToken('API token')->plainTextToken;
$impersonatedUser->currentAccessToken()->delete();
$response = [
"requested_id" => $impersonator->id,
"persona" => $impersonator,
"token" => $impersonatorToken,
];
return response()->json(['data' => $response], 200);
}This reissues a fresh token for the admin and removes the impersonation token, keeping the session secure and consistent.
Adding the Routes
Finally, link everything through your API routes. Remember to protect only the impersonate endpoint so that admins can access it, while the “leave” endpoint must be accessible by the impersonated users too.
// Impersonate
$api->get('/impersonate/take/{userId}', [AdminController::class, 'impersonate'])->name('users.impersonate');
// Leave impersonation
$api->get('/impersonate/leave', [AdminController::class, 'leaveImpersonate'])->name('users.leaveImpersonate');Conclusion
By following this approach, Laravel Sanctum impersonate lets admins jump into any user’s account safely, test real scenarios, and switch back without hassle. It’s efficient, practical, and easy to extend. Now your admin team can experience user sessions exactly as they happen, a real boost for support, testing, and troubleshooting. With this complete setup, your Laravel system is ready to make account management smarter, faster, and far more controlled.
