I wrote a simple REST API with Laravel 11. I tested authentication and it looks like the token generated by Sanctum is not revoked despite that I delete the way the documentation writes.
class TokenController extends Controller{ public function store(Request $request){ $fields = $request->validate(['email' => ['required', 'email', 'max:255'],'password' => ['required', 'string', 'max:255'] ]); $user = User::where('email', $fields['email'])->first(); if (!$user || !Hash::check($fields['password'], $user->password)) return response('authentication failed', 401); $token = $user->createToken('the_token'); return response(['plainText' => $token->plainTextToken ], 201); } public function destroy(Request $request){ $request->user('sanctum')->currentAccessToken()->delete(); return response(null, 204); }}When I test the route for destroy I got always 204 and when I dump the user id and the token I always got the same values. This should not be possible, because I use the auth:sanctum middleware for the route, so I guess I should get 401 for the second call because there is no authenticated user or at least an empty user id.
I have no idea what I am doing wrong. Maybe this is a configuration issue, but when I try to Google or GPT it all I find that other people revoked tokens the same way I do. How can I fix this?