Skip to main content

Overview

Laravel Breeze API provides RESTful endpoints for authentication, user management, and email verification. All routes follow Laravel’s standard naming conventions.

Route Files

Routes are defined in two main files:
  • routes/api.php - Protected API routes
  • routes/auth.php - Authentication routes

Authentication Routes

All authentication routes are defined in routes/auth.php.

Registration

routes/auth.php
Route::post('/register', [RegisteredUserController::class, 'store'])
    ->middleware('guest')
    ->name('register');
Endpoint: POST /register Middleware: guest (unauthenticated users only) Request Body: 
{
  "name": "John Doe",
  "email": "[email protected]",
  "password": "password123",
  "password_confirmation": "password123"
}
Response: 204 No Content Description: Creates a new user account and automatically logs them in.

Login

routes/auth.php
Route::post('/login', [AuthenticatedSessionController::class, 'store'])
    ->middleware('guest')
    ->name('login');
Endpoint: POST /login Middleware: guest Request Body: 
{
  "email": "[email protected]",
  "password": "password123",
  "remember": true
}
Response: 204 No Content Rate Limiting: 5 attempts per minute Description: Authenticates a user and establishes a session.

Logout

routes/auth.php
Route::post('/logout', [AuthenticatedSessionController::class, 'destroy'])
    ->middleware('auth')
    ->name('logout');
Endpoint: POST /logout Middleware: auth (authenticated users only) Response: 204 No Content Description: Invalidates the user’s session and logs them out.

Forgot Password

routes/auth.php
Route::post('/forgot-password', [PasswordResetLinkController::class, 'store'])
    ->middleware('guest')
    ->name('password.email');
Endpoint: POST /forgot-password Middleware: guest Request Body: 
{
  "email": "[email protected]"
}
Response: 
{
  "status": "We have emailed your password reset link."
}
Description: Sends a password reset link to the user’s email address.

Reset Password

routes/auth.php
Route::post('/reset-password', [NewPasswordController::class, 'store'])
    ->middleware('guest')
    ->name('password.store');
Endpoint: POST /reset-password Middleware: guest Request Body: 
{
  "token": "reset-token-from-email",
  "email": "[email protected]",
  "password": "newpassword123",
  "password_confirmation": "newpassword123"
}
Response: 
{
  "status": "Your password has been reset."
}
Description: Resets the user’s password using the token from the email.

Email Verification

routes/auth.php
Route::get('/verify-email/{id}/{hash}', VerifyEmailController::class)
    ->middleware(['auth', 'signed', 'throttle:6,1'])
    ->name('verification.verify');
Endpoint: GET /verify-email/{id}/{hash} Middleware:
  • auth - User must be authenticated
  • signed - URL must be signed
  • throttle:6,1 - 6 requests per minute
Response: Redirects to {FRONTEND_URL}/dashboard?verified=1 Description: Verifies the user’s email address when they click the link in their verification email.

Resend Verification Email

routes/auth.php
Route::post('/email/verification-notification', [EmailVerificationNotificationController::class, 'store'])
    ->middleware(['auth', 'throttle:6,1'])
    ->name('verification.send');
Endpoint: POST /email/verification-notification Middleware:
  • auth - User must be authenticated
  • throttle:6,1 - 6 requests per minute
Response: 
{
  "status": "verification-link-sent"
}
Description: Resends the email verification notification to the authenticated user.

Protected API Routes

Protected routes require authentication via Laravel Sanctum.

Get Authenticated User

routes/api.php
Route::middleware(['auth:sanctum'])->get('/user', function (Request $request) {
    return $request->user();
});
Endpoint: GET /api/user Middleware: auth:sanctum Response: 
{
  "id": 1,
  "name": "John Doe",
  "email": "[email protected]",
  "email_verified_at": "2026-03-04T10:30:00.000000Z",
  "created_at": "2026-03-01T08:00:00.000000Z",
  "updated_at": "2026-03-04T10:30:00.000000Z"
}
Description: Returns the authenticated user’s data.

Making Authenticated Requests

CSRF Protection

Before making authenticated requests, fetch a CSRF token: 
await axios.get('/sanctum/csrf-cookie')

Example with Axios

import axios from 'axios'

const api = axios.create({
  baseURL: 'http://localhost:8000',
  withCredentials: true,
  headers: {
    'Accept': 'application/json',
    'Content-Type': 'application/json',
  }
})

// Get CSRF token
await api.get('/sanctum/csrf-cookie')

// Make authenticated request
const { data } = await api.get('/api/user')

Route Naming

All routes use Laravel’s named route convention:
EndpointRoute Name
POST /registerregister
POST /loginlogin
POST /logoutlogout
POST /forgot-passwordpassword.email
POST /reset-passwordpassword.store
GET /verify-email/{id}/{hash}verification.verify
POST /email/verification-notificationverification.send

Middleware Groups

Guest Middleware

Prevents authenticated users from accessing routes:
  • /register
  • /login
  • /forgot-password
  • /reset-password

Auth Middleware

Requires authentication:
  • /logout
  • /api/user
  • /email/verification-notification

Throttle Middleware

Rate limiting configuration:
  • Login attempts: 5 per minute (enforced in LoginRequest)
  • Email verification: 6 per minute
  • Verification resend: 6 per minute

Error Responses

401 Unauthorized

{
  "message": "Unauthenticated."
}

422 Validation Error

{
  "message": "The email field is required.",
  "errors": {
    "email": [
      "The email field is required."
    ]
  }
}

429 Too Many Requests

{
  "message": "Too many login attempts. Please try again in 60 seconds."
}

Next Steps

Controllers

Learn about controller implementation

Testing

Test your API endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us