Authentication (Core)
Token-based auth with Laravel Sanctum 4. Always present, cannot be removed.
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/register | Create account |
| POST | /api/auth/login | Sign in |
| POST | /api/auth/logout | Sign out |
| GET | /api/auth/user | Current user |
| PUT | /api/auth/profile | Update name/email |
| PUT | /api/auth/password | Change password |
| POST | /api/auth/avatar | Upload avatar |
| DELETE | /api/auth/avatar | Remove avatar |
| DELETE | /api/auth/account | Delete account |
| POST | /api/auth/forgot-password | Send reset link |
| POST | /api/auth/reset-password | Reset with token |
| GET | /api/auth/email/verify/{id}/{hash} | Verify email |
| POST | /api/auth/email/resend | Resend verification |
| GET | /api/auth/google | Google OAuth redirect |
| GET | /api/auth/google/callback | Google OAuth callback |
Frontend Pages
/loginSign in with email or Google/registerCreate account/forgot-passwordRequest password reset/settingsProfile, avatar, password, deletion
What's included
Google sign-in
Via Laravel Socialite. If the email already exists, accounts are linked automatically.
Profile picture
Upload an avatar or display the user's initials as a fallback.
Email verification
New users verify their email via a secure signed URL. Can be resent.
Rate limiting
Auth endpoints are limited to 5 requests per minute to prevent brute force.
Account deletion
Soft deletes. The account is kept in the database before permanent removal.
Two roles: user & admin
Controlled via a PHP backed enum. No magic strings, fully type-safe.