Advertisement
Google Ad Slot: content-top
Laravel API Authentication
Why API Authentication?
When building APIs, we need to make sure only authenticated users can access certain endpoints (like dashboard, profile, etc.).
In normal web apps, Laravel uses session + cookies, but for APIs we use tokens.
Steps in Flow
- Register → Save user in DB
- Login → Validate user and generate token (store in DB)
- Authenticate → Every API request must include token (in
Authorizationheader) - Logout (optional) → Delete token
Create Middleware (Custom Token Auth)
php artisan make:middleware ApiAuthMiddleware
Edit file: app/Http/Middleware/ApiAuthMiddleware.php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use App\Models\User;
class ApiAuthMiddleware
{
public function handle(Request $request, Closure $next)
{
$token = $request->header('Authorization');
if (!$token) {
return response()->json(['error' => 'Token not provided'], 401);
}
$user = User::where('remember_token', $token)->first();
if (!$user) {
return response()->json(['error' => 'Invalid token'], 401);
}
// Store authenticated user in request
$request->merge(['user' => $user]);
return $next($request);
}
}
Register middleware in bootstrap/app.php:
->withMiddleware(function (Middleware $middleware) {
$middleware->alias([
'auth.api' => \App\Http\Middleware\ApiAuthMiddleware::class,
]);
})
AuthController
Create controller:
php artisan make:controller Api/AuthController
app/Http/Controllers/Api/AuthController.php:
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
class AuthController extends Controller
{
// Register
public function register(Request $request)
{
$request->validate([
'name' => 'required|string|max:255',
'email' => 'required|email|unique:users',
'password' => 'required|min:6',
]);
$user = User::create([
'name' => $request->name,
'email' => $request->email,
'password' => Hash::make($request->password),
]);
return response()->json(['message' => 'User registered successfully']);
}
// Login
public function login(Request $request)
{
$request->validate([
'email' => 'required|email',
'password' => 'required',
]);
$user = User::where('email', $request->email)->first();
if (!$user || !Hash::check($request->password, $user->password)) {
return response()->json(['error' => 'Invalid credentials'], 401);
}
// Generate token
$user->remember_token = Str::random(60);
$user->save();
return response()->json([
'message' => 'Login successful',
'token' => $user->remember_token,
]);
}
// Dashboard
public function dashboard(Request $request)
{
$user = $request->user;
return response()->json([
'message' => 'Welcome to Dashboard',
'user' => $user,
]);
}
// Logout
public function logout(Request $request)
{
$user = $request->user;
$user->api_token = null; // clear token
$user->save();
return response()->json(['message' => 'Logged out successfully']);
}
}
API Routes
Define routes in routes/api.php:
use App\Http\Controllers\Api\AuthController;
use Illuminate\Support\Facades\Route;
Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);
// Protected routes
Route::middleware('auth.api')->group(function () {
Route::get('/dashboard', [AuthController::class, 'dashboard']);
Route::post('/logout', [AuthController::class, 'logout']);
});
Postman Output:
Register:
Login:
After login copy token
Dashboard:
Put token in hearder in Authorization key
Logout:
