Architecture

Sanctum Tokens (not cookies)

Frontend and backend are separate apps on separate domains. Token-based auth works across origins without CORS complexity. Tokens are stored in an httpOnly cookie managed by Next.js, keeping the simplicity of cookie auth without the coupling.

Server Actions (not direct API calls)

All API calls go through Next.js Server Actions. The token never reaches the browser. This pattern gives you type-safe, validated calls with automatic error handling, and keeps secrets server-side.

Module ServiceProviders

Each module (Billing, Admin, etc.) registers its own routes, migrations, and config via a ServiceProvider. When the CLI removes a module, it removes the ServiceProvider — and everything it registered disappears cleanly.

Role Backed Enum

Roles are a PHP 8.4 backed enum (Role::Admin, Role::User). No magic strings, full IDE support, and the database stores the string value via Laravel's casts() method.

shadcn/ui (not a component library)

Components are copy-pasted into your project, not imported from a package. You own the code, can modify anything, and never worry about breaking changes from a library update.

React Context (not Redux/Zustand)

Server data (user, theme) is passed to client components via React Context. Zero extra dependencies. For a SaaS dashboard, this covers 99% of state management needs.

Custom ThemeProvider

60 lines of owned code instead of next-themes. Handles system preference detection, cookie persistence, and FOUC prevention. One less dependency to maintain.

Zod v4

Schema validation with type inference on both client and server. Forms use Zod schemas for validation, and Server Actions use the same schemas for server-side validation.