Overview
The API uses Laravel Sanctum token-based authentication. Every protected endpoint requires a valid bearer token in the Authorization request header.
Authorization: Bearer <your-token>
auth:sanctum middleware return 401 Unauthenticated when no valid token is present.
Obtaining a token
You can get a token through two flows:
Email / password registration
Call POST /api/v1/register. On success the response includes an accessToken field. Store this token and attach it to subsequent requests.
OTP flow
- Call
POST /api/v1/otp/generate with an email or phone identifier. Receives a UUID back.
- Call
POST /api/v1/otp/verify with that UUID and the 6-digit OTP code. Returns an access token on success.
Social login
Call POST /api/v1/auth/social with an OAuth provider token. Returns an access token and a redirect hint.
See Auth endpoints for the full request/response details of each flow.
Example authenticated request
curl -X GET https://yourdomain.com/api/v1/user \
-H "Accept: application/json" \
-H "Authorization: Bearer YOUR_TOKEN_HERE"
Token scopes
Sanctum tokens issued by this API do not use granular scopes. All tokens grant access to every endpoint the authenticated user is authorized to reach based on tenant ownership and role.
| Token name | Issued by |
|---|
api-token | Email/password registration |
social-api-token | Social login (POST /api/v1/auth/social) |
Middleware reference
| Middleware | Purpose |
|---|
auth:sanctum | Requires a valid Sanctum bearer token. |
tenant.ownership | Ensures the authenticated user owns the resolved tenant. Applied to all protected tenant routes. |
Tokens do not expire automatically. Revoke them through the Sanctum token management interface or directly in the personal_access_tokens table.