I'm encountering an issue with token security in my Laravel 10 project using Sanctum for authentication and a separate Vue 3 client. Our setup involves using APIs to manage authentication and data processing.
The problem arises when a user logs in via the API, as Sanctum generates a token. I noticed that I could extract this token from the browser's app data and use it in Postman to access all data associated with the user. This presents a security vulnerability that I need to address.
I'm wondering if there's a more robust solution to prevent this scenario, particularly considering that our Vue 3 client is separate from the Laravel project and not using Inertia. Any insights or recommendations on improving token security in this context would be greatly appreciated.