Skip to main content
The Tripfy Africa API authenticates requests with Laravel Sanctum bearer tokens. You exchange credentials for a plain-text token, attach it to every subsequent request in the Authorization header, and revoke it when you are done.
Auth endpoints are rate-limited to 10 requests per minute to prevent brute-force attacks.

Token usage

Include your token in the Authorization header on every request that requires authentication: 
Authorization: Bearer 1|abcdefghijklmnopqrstuvwxyz123456
When a token is missing or invalid the API responds with 401 Unauthorized: 
{ "message": "Unauthenticated." }

Register

Create a new traveller account. A Sanctum token is returned immediately so you can authenticate without a separate login step. 
POST /api/v1/auth/register

Request parameters

firstname
string
required
First name. Maximum 100 characters.
lastname
string
required
Last name. Maximum 100 characters.
email
string
required
A unique, valid email address. Maximum 255 characters.
password
string
required
Must be at least 8 characters and contain mixed case and at least one number.
password_confirmation
string
required
Must match password exactly.
phone
string
Phone number including country code, e.g. +255712345678. Maximum 20 characters. Optional.

Response 201 Created

message
string
Confirmation message.
user
object
token
string
Plain-text Sanctum bearer token. Store this securely on the client.
{
  "message": "Registration successful. Welcome to Tripfy Africa!",
  "user": {
    "id": 42,
    "firstname": "Amina",
    "lastname": "Hassan",
    "email": "[email protected]",
    "phone": "+255712345678",
    "image": null,
    "is_vendor": false,
    "kyc_status": 0,
    "created_at": "2024-06-01"
  },
  "token": "1|abcdefghijklmnopqrstuvwxyz123456"
}

curl -X POST https://tripfy.africa/api/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "firstname": "Amina",
    "lastname": "Hassan",
    "email": "[email protected]",
    "password": "SecurePass1",
    "password_confirmation": "SecurePass1",
    "phone": "+255712345678"
  }'

Login

Authenticate with email and password. Any existing mobile-app tokens for the account are revoked before a new one is issued, so each login produces exactly one active token. 
POST /api/v1/auth/login

Request parameters

email
string
required
The registered email address.
password
string
required
The account password.

Response 200 OK

message
string
"Login successful."
user
object
The authenticated user object (same shape as registration response).
token
string
Plain-text bearer token to use in the Authorization header.
{
  "message": "Login successful.",
  "user": {
    "id": 42,
    "firstname": "Amina",
    "lastname": "Hassan",
    "email": "[email protected]",
    "phone": "+255712345678",
    "image": "https://tripfy.africa/assets/upload/users/amina.jpg",
    "is_vendor": false,
    "kyc_status": 0,
    "created_at": "2024-06-01"
  },
  "token": "2|xyz789abcdefghijklmnopqrstuvwxyz"
}
If the account has been suspended the API returns 403 Forbidden with { "message": "Your account has been suspended." }. Contact support to resolve this.
curl -X POST https://tripfy.africa/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "SecurePass1"}'

Get current user

Return the profile of the user who owns the token. Useful for validating that a stored token is still active. 
GET /api/v1/auth/me
Requires authentication.

Response 200 OK

user
object
The authenticated user object.
{
  "user": {
    "id": 42,
    "firstname": "Amina",
    "lastname": "Hassan",
    "email": "[email protected]",
    "phone": "+255712345678",
    "image": "https://tripfy.africa/assets/upload/users/amina.jpg",
    "is_vendor": false,
    "kyc_status": 0,
    "created_at": "2024-06-01"
  }
}

curl https://tripfy.africa/api/v1/auth/me \
  -H "Authorization: Bearer YOUR_TOKEN"

Logout

Revoke the token used in this request. Use this when the user logs out of the current device. 
POST /api/v1/auth/logout
Requires authentication.

Response 200 OK

{ "message": "Logged out successfully." }

curl -X POST https://tripfy.africa/api/v1/auth/logout \
  -H "Authorization: Bearer YOUR_TOKEN"

Logout all devices

Revoke every token associated with the authenticated account. Use this when the user wants to sign out everywhere, for example after a suspected account compromise. 
POST /api/v1/auth/logout-all
Requires authentication.

Response 200 OK

{ "message": "Logged out from all devices." }

curl -X POST https://tripfy.africa/api/v1/auth/logout-all \
  -H "Authorization: Bearer YOUR_TOKEN"

Error reference

StatusScenarioExample message
401Wrong email or password"Invalid credentials."
401Missing or revoked token"Unauthenticated."
403Account suspended"Your account has been suspended."
422Validation failureField-level errors object
429Rate limit hit"Too Many Attempts."

Build docs developers (and LLMs) love

Get started for freeTalk to us