Laravel API Authentication

Why API Authentication?

When building APIs, we need to make sure only authenticated users can access certain endpoints (like dashboard, profile, etc.).

In normal web apps, Laravel uses session + cookies, but for APIs we use tokens.


Steps in Flow

  1. Register → Save user in DB
  2. Login → Validate user and generate token (store in DB)
  3. Authenticate → Every API request must include token (in Authorization header)
  4. Logout (optional) → Delete token

Create Middleware (Custom Token Auth)

php artisan make:middleware ApiAuthMiddleware


Edit file: app/Http/Middleware/ApiAuthMiddleware.php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use App\Models\User;

class ApiAuthMiddleware
{
    public function handle(Request $request, Closure $next)
    {
        $token = $request->header('Authorization');

        if (!$token) {
            return response()->json(['error' => 'Token not provided'], 401);
        }

        $user = User::where('remember_token', $token)->first();

        if (!$user) {
            return response()->json(['error' => 'Invalid token'], 401);
        }

        // Store authenticated user in request
        $request->merge(['user' => $user]);

        return $next($request);
    }
}


Register middleware in bootstrap/app.php:

->withMiddleware(function (Middleware $middleware) {
    $middleware->alias([
        'auth.api' => \App\Http\Middleware\ApiAuthMiddleware::class,
    ]);
})

AuthController

Create controller:

php artisan make:controller Api/AuthController


app/Http/Controllers/Api/AuthController.php:

namespace App\Http\Controllers\Api;

use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use App\Models\User;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;

class AuthController extends Controller
{
    // Register
    public function register(Request $request)
    {
        $request->validate([
            'name'     => 'required|string|max:255',
            'email'    => 'required|email|unique:users',
            'password' => 'required|min:6',
        ]);

        $user = User::create([
            'name'     => $request->name,
            'email'    => $request->email,
            'password' => Hash::make($request->password),
        ]);
        return response()->json(['message' => 'User registered successfully']);
    }

    // Login
    public function login(Request $request)
    {
        $request->validate([
            'email'    => 'required|email',
            'password' => 'required',
        ]);

        $user = User::where('email', $request->email)->first();

        if (!$user || !Hash::check($request->password, $user->password)) {
            return response()->json(['error' => 'Invalid credentials'], 401);
        }

        // Generate token
        $user->remember_token = Str::random(60);
        $user->save();
        return response()->json([
            'message' => 'Login successful',
            'token'   => $user->remember_token,
        ]);
    }

    // Dashboard
    public function dashboard(Request $request)
    {
        $user = $request->user;
        return response()->json([
            'message' => 'Welcome to Dashboard',
            'user'    => $user,
        ]);
    }

    // Logout
    public function logout(Request $request)
    {
        $user = $request->user;
        $user->api_token = null; // clear token
        $user->save();
        return response()->json(['message' => 'Logged out successfully']);
    }
}

API Routes

Define routes in routes/api.php:

use App\Http\Controllers\Api\AuthController;
use Illuminate\Support\Facades\Route;

Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);

// Protected routes
Route::middleware('auth.api')->group(function () {
    Route::get('/dashboard', [AuthController::class, 'dashboard']);
    Route::post('/logout', [AuthController::class, 'logout']);
});

Postman Output:

Register:

Login:

After login copy token

Dashboard:

Put token in hearder in Authorization key

Logout:


Whereisstuff is simple learing platform for beginer to advance level to improve there skills in technologies.we will provide all material free of cost.you can write a code in runkit workspace and we provide some extrac features also, you agree to have read and accepted our terms of use, cookie and privacy policy.
© Copyright 2024 www.whereisstuff.com. All rights reserved. Developed by whereisstuff Tech.