Authentication

Authenticate a user and receive a Sanctum API token for subsequent requests.

curl -X POST https://api.beanquick.com/api/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePass123"
  }'

Request Body

string

required

User’s email address. Must be a valid email format.

password

string

required

User’s password.

Response

status

string

Response status. Returns success on successful authentication.

user

object

Authenticated user information.

Show user properties

integer

User’s unique identifier.

name

string

User’s full name.

string

User’s email address.

rol

string

User’s role. Possible values: cliente, empresa, admin.

token

string

Laravel Sanctum API token. Include this in the Authorization: Bearer {token} header for authenticated requests.

redirectTo

string

Suggested redirect URL based on user role:

cliente: / (main store)
empresa: /empresa/panel (business dashboard) or /empresa/create (if business profile not created)
admin: /admin/dashboard (admin panel)

message

string

Success message.

{
  "status": "success",
  "user": {
    "id": 42,
    "name": "Juan Pérez",
    "email": "[email protected]",
    "rol": "cliente"
  },
  "token": "1|abc123def456ghi789jkl012mno345pqr678stu901vwx234yz",
  "redirectTo": "/",
  "message": "Login exitoso"
}

Logout

Revoke the current user’s access token and end their session.

This endpoint requires authentication. Include the Authorization: Bearer {token} header.

curl -X POST https://api.beanquick.com/api/logout \
  -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  -H "Content-Type: application/json"

Headers

Authorization

string

required

Bearer token obtained from login. Format: Bearer {token}

Response

status

string

Response status. Returns success when token is successfully revoked.

message

string

Confirmation message.

{
  "status": "success",
  "message": "Sesión cerrada correctamente"
}

Get Current User

Retrieve the authenticated user’s information, including their associated business profile if applicable.

This endpoint requires authentication. Include the Authorization: Bearer {token} header.

curl -X GET https://api.beanquick.com/api/user \
  -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  -H "Content-Type: application/json"

Headers

Authorization

string

required

Bearer token obtained from login. Format: Bearer {token}

Response

integer

User’s unique identifier.

name

string

User’s full name.

string

User’s email address.

rol

string

User’s role. Possible values: cliente, empresa, admin.

empresa

object

Business profile information. Only present if user role is empresa and profile exists.

Show empresa properties

integer

Business unique identifier.

user_id

integer

Associated user ID.

nombre

string

Business name.

nit

string

Tax identification number.

direccion

string

Business address.

telefono

string

Business phone number.

descripcion

string

Business description.

logo

string

Logo file path.

foto_local

string

Store photo file path.

{
  "id": 42,
  "name": "Juan Pérez",
  "email": "[email protected]",
  "rol": "cliente",
  "empresa": null
}

Token Management

Token Format

BeanQuick uses Laravel Sanctum for API authentication. Tokens are issued upon login and must be included in the Authorization header for protected endpoints. Header format:

Authorization: Bearer 1|abc123def456ghi789jkl012mno345pqr678stu901vwx234yz

Token Lifecycle

Creation: Tokens are generated during login (POST /api/login) and registration (POST /api/register)
Usage: Include in Authorization: Bearer {token} header for authenticated requests
Revocation: Tokens are revoked when user logs out (POST /api/logout)
Expiration: Tokens do not expire automatically but can be revoked at any time

Security Best Practices

Never expose your API token in client-side code, public repositories, or logs. Always transmit tokens over HTTPS.

Store tokens securely (e.g., httpOnly cookies, secure storage)
Implement token refresh mechanisms for long-lived sessions
Revoke tokens immediately upon logout
Use HTTPS for all API requests
Validate user permissions on the server side

Multiple Sessions

Each createToken() call generates a new token. Users can have multiple active tokens across different devices or sessions. Calling logout revokes only the current token, not all user tokens.

Error Responses

401 Unauthorized

Returned when credentials are invalid during login.

{
  "status": "error",
  "message": "Las credenciales no coinciden con nuestros registros."
}

422 Validation Error

Returned when request validation fails.

{
  "message": "The email field must be a valid email address.",
  "errors": {
    "email": [
      "The email field must be a valid email address."
    ],
    "password": [
      "The password field is required."
    ]
  }
}

419 CSRF Token Mismatch

Returned when CSRF token is missing or invalid (if CSRF protection is enabled).

{
  "message": "CSRF token mismatch."
}

Customer API

Business API

Admin API

Authentication

Request Body

Response

Logout

Headers

Response

Get Current User

Headers

Response

Token Management

Token Format

Token Lifecycle

Security Best Practices

Multiple Sessions

Error Responses

401 Unauthorized

422 Validation Error

419 CSRF Token Mismatch

Build docs developers (and LLMs) love

Authentication

Customer API

Business API

Admin API

​Login

​Request Body

​Response

​Logout

​Headers

​Response

​Get Current User

​Headers

​Response

​Token Management

​Token Format

​Token Lifecycle

​Security Best Practices

​Multiple Sessions

​Error Responses

​401 Unauthorized

​422 Validation Error

​419 CSRF Token Mismatch

Build docs developers (and LLMs) love

Login

Request Body

Response

Logout

Headers

Response

Get Current User

Headers

Response

Token Management

Token Format

Token Lifecycle

Security Best Practices

Multiple Sessions

Error Responses

401 Unauthorized

422 Validation Error

419 CSRF Token Mismatch