Build a REST API with Laravel Sanctum and Role-Based Access

Home Topics Laravel Projects Project Details

Build a REST API with Laravel Sanctum and Role-Based Access

Build a REST API with Laravel Sanctum and Role-Based Access

Build a REST API with Laravel Sanctum and Role-Based Access 2 min read - Last updated on: 4 May 2026
Build a REST API with Laravel Sanctum and Role-Based Access

This project covers building a production-ready REST API from the ground up with proper authentication, authorisation, and structured JSON responses.

Features

  • Token-based authentication with Laravel Sanctum
  • Role and permission management with Spatie
  • API versioning under /api/v1/
  • Eloquent API Resources with pagination
  • Form Request validation with custom error messages
  • Rate limiting per user role

Step 1 — Install Dependencies

composer require laravel/sanctum spatie/laravel-permission
php artisan install:api
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
php artisan migrate

Step 2 — Auth Endpoints

// routes/api.php
Route::prefix('v1')->group(function () {
    Route::post('/register', [AuthController::class, 'register']);
    Route::post('/login',    [AuthController::class, 'login']);

    Route::middleware('auth:sanctum')->group(function () {
        Route::post('/logout', [AuthController::class, 'logout']);
        Route::apiResource('posts', PostController::class);
    });
});

Step 3 — Auth Controller

class AuthController extends Controller
{
    public function login(LoginRequest $request): JsonResponse
    {
        if (! Auth::attempt($request->only('email', 'password'))) {
            return response()->json(['message' => 'Invalid credentials'], 401);
        }

        $user  = Auth::user();
        $token = $user->createToken('api-token', $user->roles->pluck('name')->toArray());

        return response()->json([
            'token' => $token->plainTextToken,
            'user'  => new UserResource($user),
        ]);
    }

    public function logout(Request $request): JsonResponse
    {
        $request->user()->currentAccessToken()->delete();
        return response()->json(['message' => 'Logged out']);
    }
}

Step 4 — API Resource

class PostResource extends JsonResource
{
    public function toArray(Request $request): array
    {
        return [
            'id'         => $this->id,
            'title'      => $this->title,
            'excerpt'    => $this->excerpt,
            'author'     => new UserResource($this->whenLoaded('author')),
            'tags'       => TagResource::collection($this->whenLoaded('tags')),
            'created_at' => $this->created_at->toDateTimeString(),
        ];
    }
}

Posted with love by: XDevSpace Team

XDevSpace

Comments
All Comments

Search Here

Recent Projects

Laravel More Contents

Tags