You need to proceed from what your task is:
- A regular site with a server renderer
This is an old scheme, where Laravel has everything for this. And basic authentication through cookies and session storage in different places.
- A site with a separate client
Here the backend is usually separated from the frontend. From the backend you need api (restful, graphql), the client is already implemented as a rule in js.
A token may already be required here.
- A site with more than one client
This can be the site itself, and it can be a mobile application and any other that uses the backend API.
Here Passport is more in demand but not required.
- A site with a requirement to issue access to third-party clients
Passport is required here
Simply put, Passport takes care of organizing the authentication and authorization of external clients in your backend and the consequences that follow from this:
- storage
- encryption
- authorization
- management
- Auth2.0 implementation
For a simple API, laravel recommends sanctum

If you have a real api (and not just controllers in the Api namespace), then you need a token. Those. where there are no sessions, csrf checks, etc. Relevant for a site with a mobile application, large projects divided into services, etc. If just a site without understanding what is happening and why, then you do it and don’t worry. You can always change.