Skip to main content

Authentication System

The GB App uses Laravel Sanctum for API authentication with session-based authentication for web routes. The application supports both local authentication and LDAP integration.

Authentication Middleware

All protected routes use the following middleware stack:
  • auth:sanctum - Sanctum authentication
  • config('jetstream.auth_session') - Session verification
  • verified - Email verification check

Get Authenticated User

Retrieve the currently authenticated user’s information. 
GET /api/user

Headers

Authorization
string
required
Bearer token for API authentication
Accept
string
default:"application/json"
Content type header

Response

id
integer
User ID
name
string
User’s full name
username
string
Username for authentication
email
string
User’s email address
type
string
User type (e.g., ‘admin’, ‘designer’, ‘customer’)
codigo_vendedor
string
Sales representative code
cedula
string
National ID number
is_ldap_user
boolean
Whether user authenticates via LDAP
role_names
array
Array of role names assigned to the user
permission_names
array
Array of permission names granted to the user
profile_photo_url
string
URL to user’s profile photo

Example Request

curl -X GET https://your-domain.com/api/user \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Accept: application/json"

Example Response

{
  "id": 1,
  "name": "John Doe",
  "username": "jdoe",
  "email": "[email protected]",
  "type": "admin",
  "codigo_vendedor": "V001",
  "cedula": "1234567890",
  "is_ldap_user": false,
  "role_names": ["super-admin"],
  "permission_names": [
    "user.index",
    "user.create",
    "report.create",
    "role.index"
  ],
  "profile_photo_url": "https://your-domain.com/storage/profile-photos/default.jpg",
  "email_verified_at": "2026-01-15 10:30:00",
  "created_at": "2026-01-10 09:00:00",
  "updated_at": "2026-03-01 14:20:00"
}

Login Flow

The application uses Laravel Fortify and Jetstream for authentication flows:
  1. Web Login: Session-based authentication via /login route
  2. API Login: Token-based via Sanctum token creation
  3. LDAP Integration: Automatic authentication for LDAP users

Session Management

All web routes require:
  • Valid session cookie
  • CSRF token for state-changing operations
  • Email verification (for verified middleware)

LDAP Authentication

Users with is_ldap_user = true authenticate against the configured LDAP server:
  • Automatic user provisioning on first login
  • Synced user attributes from LDAP directory
  • GUID-based user matching

Logout

To logout, use Laravel’s built-in logout endpoint: 
POST /logout
This will invalidate the session and revoke API tokens.

Error Responses

message
string
Error message describing the authentication failure

Common Error Codes

Status CodeDescription
401Unauthenticated - Invalid or missing token
403Forbidden - User lacks required permissions
419CSRF token mismatch
429Too many login attempts

Example Error Response

{
  "message": "Unauthenticated."
}

Best Practices

  1. Always use HTTPS in production for token transmission
  2. Store tokens securely - Never expose in client-side code
  3. Implement token rotation for long-lived sessions
  4. Use appropriate scopes for API tokens
  5. Monitor failed login attempts for security threats

Build docs developers (and LLMs) love

Get started for freeTalk to us