Authentication Overview

​

Authentication Methods

​

1. Sanctum Token Authentication

• Token-based: Personal access tokens for API authentication
• Stateless: No session required for API requests
• Long-lived: Tokens expire after 1 year by default
• Secure: Bearer token authentication via Authorization header

​

2. Session Authentication

• Stateful domains: Configured via SANCTUM_STATEFUL_DOMAINS
• CSRF protection: Required for stateful requests
• Session cookies: Encrypted cookies for authenticated sessions

​

Authentication Flow

​

Obtaining API Tokens

1. Register an account using Laravel Fortify endpoints
2. Verify your email to activate your account
3. Access Filament panel at /admin (requires appropriate permissions)
4. Generate personal access token in your profile settings
5. Use the token in API requests via Authorization header

​

Using API Tokens

curl https://api.animethemes.moe/anime \
  -H "Authorization: Bearer YOUR_TOKEN_HERE"

fetch('https://api.animethemes.moe/anime', {
  headers: {
    'Authorization': 'Bearer YOUR_TOKEN_HERE'
  }
})

​

Protected Endpoints

• /api/me - Get current user information
• /api/me/playlist - Manage user playlists
• /api/me/externalprofile - Manage external profiles
• /api/me/notification - User notifications

​

User Registration

​

Validation Rules

• Name: Required, alphanumeric with dashes/underscores, max 35 characters, must be unique, passes moderation filters
• Email: Required, valid email format, max 255 characters, must be disposable-free and unique
• Password: Must meet Laravel’s password requirements
• Terms: Must accept terms of service

​

Rate Limiting

• Login attempts: 5 attempts per minute per IP address
• Two-factor authentication: 5 attempts per minute per session

​

Security Features

​

Two-Factor Authentication

• TOTP-based (Time-based One-Time Password)
• Recovery codes for account recovery
• Confirmation required before enabling

​

Email Verification

• Required to access Filament admin panel
• Implements MustVerifyEmail interface
• Verification status stored in email_verified_at column

​

Token Expiration

'expiration' => CarbonInterval::year()->totalMinutes,

​

Next Steps

• Laravel Sanctum - Detailed token authentication guide
• Permissions - Role-based access control system