Forem: K. Polash The latest articles on Forem by K. Polash (@polash). https://forem.com/polash https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1241000%2F8c8504ee-e938-418e-b885-2111bea6aee4.jpg Forem: K. Polash https://forem.com/polash en Why Your System Fails on the Most Predictable Day of the Year K. Polash Wed, 01 Apr 2026 16:30:00 +0000 https://forem.com/polash/why-your-system-fails-on-the-most-predictable-day-of-the-year-df1 https://forem.com/polash/why-your-system-fails-on-the-most-predictable-day-of-the-year-df1 <p>Most applications don't fail because of bad code.</p> <p>They fail because of bad architecture decisions made early that nobody questioned <br> until it was too late.</p> <p>Here's what actually breaks systems at scale:</p> <ul> <li>Everything talking to everything (no clear boundaries)</li> <li>The database doing work the application should do</li> <li>Synchronous processing where async was needed</li> <li>One giant service that owns too much responsibility</li> <li>No separation between reads and writes under heavy load</li> </ul> <p>None of these are framework problems. None of these are language problems.<br> <strong>They are thinking problems.</strong></p> <h2> The Scenario: University Enrollment Day </h2> <p>Think about course enrollment day at any university.</p> <p>Every semester, thousands of students flood the portal at the exact same time, each trying to register for their courses. The load is not a surprise. <strong>The date is on the calendar.</strong> It happens every single semester like clockwork.</p> <p>But the system was never designed for it.</p> <p>Every request hits the same flow β€” check eligibility, check seat availability, write enrollment, update seat count β€” all synchronously, all at once. No queue. No cache. No separation between reads and writes. Just a database choking under the weight of an entirely predictable moment.</p> <p>Students get timeout errors. Duplicate enrollments. Lost seats they were fully eligible for. Everyone refreshes in panic. And every semester, someone calls IT to "increase the server capacity" and nothing really changes.</p> <p><strong>The code isn't broken. The thinking is.</strong></p> <h2> What's Actually Going On </h2> <p>Most teams look at this and see one problem: too much traffic. So they throw more servers at it. It helps a little, then fails again next semester.</p> <p>The reality is there are <strong>5 separate problems</strong> here, each requiring a different solution. Solving one without the others just moves the failure to a different place.</p> <h3> πŸ”₯ The Spike </h3> <p>Thousands of simultaneous requests will bring any database to its knees regardless of hardware. A queue, a cache layer, and read/write separation need to work together. Most teams implement one and call it done.</p> <h3> πŸ” The Race Condition </h3> <p>Even with a queue, two workers can read "1 seat available" at the same time, both pass eligibility, and both enroll into the last seat. The queue serialized intake. It did not serialize processing. You need locking β€” pessimistic, optimistic, or distributed β€” and each has real tradeoffs.</p> <h3> πŸ‘† The Double Click </h3> <p>A student hits Enroll and the page is slow. They click again. Now two identical requests are in flight. Even with locking in place, without idempotency handling both clicks can create two enrollment records. This is not a database problem. It is an <strong>API design problem</strong> β€” and the one most teams discover only after finding duplicate records in production.</p> <h3> πŸ’₯ The Half-Enrolled Student </h3> <p>A successful enrollment is not one database write. It is a chain: write the record, decrement the seat count, send confirmation, update the academic record, generate a fee entry. What happens if the system crashes after step 2?</p> <p>The seat is taken. The student has no confirmation. The database says enrolled. The academic record disagrees. <strong>Designing for the middle of failure is architecture.</strong> Designing only for the happy path is wishful thinking.</p> <h3> πŸ•³οΈ The Stale Cache Trap </h3> <p>The cache says 5 seats available. The database already has 0. Students attempt to enroll based on stale data, hit the lock, fail, and get a confusing error even though the portal showed availability 3 seconds ago. The cache improved performance but silently introduced a <strong>trust problem</strong>. Cache invalidation strategy needs to be designed upfront, not patched after support tickets pile up.</p> <h2> The Questions That Actually Matter </h2> <p>The engineers who scale systems well ask different questions from the start:</p> <ul> <li>Where are my bottlenecks under 10x load?</li> <li>What happens if this one service goes down?</li> <li>Am I coupling things that should be independent?</li> <li>What happens in the <em>middle</em> of a failure, not just at the end?</li> <li>Can the same request safely arrive twice?</li> </ul> <p>None of these have anything to do with which framework you picked or which cloud provider you use. They are design questions. Thinking questions.</p> <p>I wrote a full deep dive on all 5 problems with concrete solutions for each one.</p> <p>πŸ‘‰ <a href="https://www.linkedin.com/pulse/why-your-system-fails-most-predictable-day-year-k-polash-q0mxc" rel="noopener noreferrer">Read the full article here β†’</a></p> <p><em>Architecture is not about knowing the right tools. It is about asking the right questions early enough that the answers still matter.</em></p> systemdesign architecture backend distributedsystems Laravel Queue vs defer(): When to Use Each (Laravel 11, 12 & 13) K. Polash Mon, 30 Mar 2026 06:48:29 +0000 https://forem.com/polash/laravel-queue-vs-defer-when-to-use-each-laravel-11-12-13-303e https://forem.com/polash/laravel-queue-vs-defer-when-to-use-each-laravel-11-12-13-303e <p>Laravel 11 quietly introduced one of the most practical helpers in years: <code>defer()</code>.</p> <p>It lets you run code <strong>after</strong> the HTTP response has been sent β€” no queue worker, no Redis, no Supervisor config. Just:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nf">defer</span><span class="p">(</span><span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">Metrics</span><span class="o">::</span><span class="nf">recordOrder</span><span class="p">(</span><span class="nv">$order</span><span class="p">));</span> </code></pre> </div> <p>The user gets the response instantly. The closure runs after. Zero extra infrastructure.</p> <p>But a lot of developers are either ignoring it or misusing it. So here's the honest breakdown.</p> <h2> The One-Line Rule </h2> <ul> <li> <strong><code>defer()</code></strong> β†’ "I'm okay if this is lost on a crash"</li> <li> <strong>Queue Job</strong> β†’ "This must succeed, and retry if it fails"</li> </ul> <h2> What defer() actually does </h2> <blockquote> <p>Runs a closure in the same PHP process, after the HTTP response is sent.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="k">function</span> <span class="n">Illuminate\Support\defer</span><span class="p">;</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'/orders'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$order</span> <span class="o">=</span> <span class="nc">Order</span><span class="o">::</span><span class="nf">create</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">validated</span><span class="p">());</span> <span class="nf">defer</span><span class="p">(</span><span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">Metrics</span><span class="o">::</span><span class="nf">recordOrder</span><span class="p">(</span><span class="nv">$order</span><span class="p">));</span> <span class="c1">// fires AFTER response</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="nv">$order</span><span class="p">,</span> <span class="mi">201</span><span class="p">);</span> <span class="c1">// returned immediately</span> <span class="p">});</span> </code></pre> </div> <p>Key behaviours:</p> <ul> <li>Skips execution if the response is a <code>4xx</code> or <code>5xx</code> (use <code>-&gt;always()</code> to override)</li> <li>Can be named and cancelled: <code>defer(fn () =&gt; ..., 'name')</code> + <code>defer()-&gt;forget('name')</code> </li> <li>Doesn't survive a server crash β€” not persisted anywhere</li> </ul> <p><strong>Version support:</strong> Laravel 11+ only. Not available in Laravel 10 or earlier.</p> <h2> Quick Comparison Table </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Queue Job</th> <th>defer()</th> </tr> </thead> <tbody> <tr> <td>Needs queue worker</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Needs Redis / DB driver</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Persisted to storage</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Retries on failure</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Delayed execution</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Monitoring (Horizon)</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Zero setup</td> <td>❌ No</td> <td>βœ… Yes</td> </tr> <tr> <td>Runs after response</td> <td>separate process</td> <td>βœ… same process</td> </tr> </tbody> </table></div> <h2> Use defer() for: </h2> <ul> <li>Recording analytics after an order</li> <li>Incrementing page view / "last seen" counters</li> <li>Busting a cache key after a resource is created</li> <li>Non-critical internal Slack notifications</li> <li>Lightweight audit trail writes</li> </ul> <h2> Use Queue Jobs for: </h2> <ul> <li>Transactional emails (must not be lost)</li> <li>Payment webhooks and API calls (must retry)</li> <li>Image/file processing (CPU heavy)</li> <li>Delayed tasks ("send reminder in 24 hours")</li> <li>Anything monitored via Horizon or Telescope</li> </ul> <h2> ⚠️ The Swoole Gotcha </h2> <p>If you use Swoole or FrankenPHP, always import Laravel's <code>defer()</code> explicitly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// WRONG on Swoole β€” calls Swoole's defer(), not Laravel's</span> <span class="nf">defer</span><span class="p">(</span><span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">Metrics</span><span class="o">::</span><span class="nf">record</span><span class="p">(</span><span class="nv">$data</span><span class="p">));</span> <span class="c1">// CORRECT</span> <span class="kn">use</span> <span class="k">function</span> <span class="n">Illuminate\Support\defer</span><span class="p">;</span> <span class="nf">defer</span><span class="p">(</span><span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">Metrics</span><span class="o">::</span><span class="nf">record</span><span class="p">(</span><span class="nv">$data</span><span class="p">));</span> </code></pre> </div> <p>Swoole has its own global <code>defer()</code>. The conflict is silent and will cost you hours.</p> <h2> Testing Deferred Functions </h2> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">test_order_records_metrics</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">withoutDefer</span><span class="p">();</span> <span class="c1">// runs deferred closures immediately</span> <span class="nc">Metrics</span><span class="o">::</span><span class="nf">shouldReceive</span><span class="p">(</span><span class="s1">'recordOrder'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">once</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">postJson</span><span class="p">(</span><span class="s1">'/api/orders'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'product_id'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">'qty'</span> <span class="o">=&gt;</span> <span class="mi">2</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">assertStatus</span><span class="p">(</span><span class="mi">201</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Full post </h2> <p>For the full decision guide (including the 8-question decision matrix, Laravel 13 notes, and full code examples):</p> <p>πŸ‘‰ <a href="https://pola5h.github.io/blog/laravel-queue-vs-defer/" rel="noopener noreferrer">pola5h.github.io/blog/laravel-queue-vs-defer/</a></p> <p>What do you use <code>defer()</code> for in your projects? Drop it in the comments πŸ‘‡</p> webdev laravel php backend Laravel 13 drops March 17 β€” here's every new feature with code examples K. Polash Sun, 08 Mar 2026 15:11:16 +0000 https://forem.com/polash/laravel-13-drops-march-17-heres-every-new-feature-with-code-examples-3joa https://forem.com/polash/laravel-13-drops-march-17-heres-every-new-feature-with-code-examples-3joa <p>Laravel 13 is 9 days away. Taylor Otwell announced it at Laracon EU 2026 and the headline is: <strong>zero breaking changes</strong>. Smoothest upgrade in Laravel's history.</p> <p>Here's everything that's changing, with before/after code for the features that actually matter day-to-day.</p> <h2> PHP 8.3 is now the minimum </h2> <p>First the housekeeping. Laravel 13 drops PHP 8.2 support. Check your version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>php <span class="nt">-v</span> </code></pre> </div> <p>If you're on 8.2, upgrade your server before upgrading Laravel. Everything else in this list is non-breaking and optional.</p> <h2> 1. PHP Attributes β€” the headline feature </h2> <p>This is the one everyone will be talking about. Instead of declaring model config, job settings, and command signatures as class properties, you can now use native PHP <code>#[Attribute]</code> syntax.</p> <p><strong>Models β€” before:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">Invoice</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$table</span> <span class="o">=</span> <span class="s1">'invoices'</span><span class="p">;</span> <span class="k">protected</span> <span class="nv">$primaryKey</span> <span class="o">=</span> <span class="s1">'invoice_id'</span><span class="p">;</span> <span class="k">protected</span> <span class="nv">$keyType</span> <span class="o">=</span> <span class="s1">'string'</span><span class="p">;</span> <span class="k">public</span> <span class="nv">$incrementing</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">protected</span> <span class="nv">$fillable</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'amount'</span><span class="p">,</span> <span class="s1">'status'</span><span class="p">,</span> <span class="s1">'user_id'</span><span class="p">];</span> <span class="k">protected</span> <span class="nv">$hidden</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'internal_notes'</span><span class="p">];</span> <span class="c1">// actual model logic starts way down here...</span> <span class="p">}</span> </code></pre> </div> <p><strong>Models β€” after:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="na">#[Table('invoices', key: 'invoice_id', keyType: 'string', incrementing: false)]</span> <span class="na">#[Fillable('amount', 'status', 'user_id')]</span> <span class="na">#[Hidden('internal_notes')]</span> <span class="kd">class</span> <span class="nc">Invoice</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="c1">// your real logic is immediately visible</span> <span class="p">}</span> </code></pre> </div> <p><strong>Jobs β€” before:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ProcessPayment</span> <span class="kd">implements</span> <span class="nc">ShouldQueue</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$connection</span> <span class="o">=</span> <span class="s1">'redis'</span><span class="p">;</span> <span class="k">public</span> <span class="nv">$queue</span> <span class="o">=</span> <span class="s1">'payments'</span><span class="p">;</span> <span class="k">public</span> <span class="nv">$tries</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="k">public</span> <span class="nv">$timeout</span> <span class="o">=</span> <span class="mi">60</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Jobs β€” after:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="na">#[WithQueue(connection: 'redis', queue: 'payments', tries: 3, timeout: 60)]</span> <span class="kd">class</span> <span class="nc">ProcessPayment</span> <span class="kd">implements</span> <span class="nc">ShouldQueue</span> <span class="p">{</span> <span class="c1">// queue config declared, not buried</span> <span class="p">}</span> </code></pre> </div> <p><strong>Commands β€” before:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">SendReportCommand</span> <span class="kd">extends</span> <span class="nc">Command</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$signature</span> <span class="o">=</span> <span class="s1">'report:send {--force}'</span><span class="p">;</span> <span class="k">protected</span> <span class="nv">$description</span> <span class="o">=</span> <span class="s1">'Send the weekly report email'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Commands β€” after:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="na">#[Command(signature: 'report:send {--force}', description: 'Send the weekly report email')]</span> <span class="kd">class</span> <span class="nc">SendReportCommand</span> <span class="kd">extends</span> <span class="nc">Command</span> <span class="p">{</span> <span class="p">}</span> </code></pre> </div> <p>This also works on listeners, notifications, mailables, broadcast events, requests β€” around 15 locations total. And again: <strong>fully optional</strong>. Your existing code works exactly as before.</p> <h2> 2. Cache::touch() β€” extend TTL without re-fetching </h2> <p>This one's been a quiet performance footgun for years. To extend a cache item's expiry you had to fetch the value, then re-store it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Before β€” 2 round trips, full payload transfer</span> <span class="nv">$value</span> <span class="o">=</span> <span class="nc">Cache</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'user_session:123'</span><span class="p">);</span> <span class="nc">Cache</span><span class="o">::</span><span class="nf">put</span><span class="p">(</span><span class="s1">'user_session:123'</span><span class="p">,</span> <span class="nv">$value</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addHour</span><span class="p">());</span> </code></pre> </div> <p>Laravel 13:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// After β€” single EXPIRE command to Redis</span> <span class="nc">Cache</span><span class="o">::</span><span class="nb">touch</span><span class="p">(</span><span class="s1">'user_session:123'</span><span class="p">,</span> <span class="mi">3600</span><span class="p">);</span> </code></pre> </div> <p>Under the hood: Redis gets one <code>EXPIRE</code> command. Memcached uses native <code>TOUCH</code>. Database driver runs a single <code>UPDATE</code>. No value retrieval, no payload transfer.</p> <p>If you're extending TTLs on every request at scale (sliding sessions, rate limit windows, subscription checks) β€” this adds up fast.</p> <h2> 3. Reverb database driver β€” real-time without Redis </h2> <p>Scaling Laravel Reverb horizontally previously required Redis. Laravel 13 adds a database driver so you can use MySQL or PostgreSQL instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'reverb'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'scaling'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'driver'</span> <span class="o">=&gt;</span> <span class="s1">'database'</span><span class="p">,</span> <span class="c1">// new β€” no Redis required</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <p>For small-to-medium projects that don't want to provision a separate Redis instance just for WebSockets, this is a big deal.</p> <h2> 4. Passkey authentication </h2> <p>Passkeys (WebAuthn β€” Face ID, fingerprint, hardware keys) are now built into Laravel's starter kits and Fortify. No third-party packages. Scaffolded automatically on new Laravel 13 apps.</p> <h2> 5. Laravel AI SDK goes stable </h2> <p>The Laravel AI SDK exits beta on March 17 alongside Laravel 13. First-class LLM integration (OpenAI, Anthropic, others) with proper queue support and Laravel-native conventions.</p> <h2> 6. Teams support returns to starter kits </h2> <p>Jetstream had Teams. The newer starter kits didn't. Laravel 13 brings it back with a cleaner implementation.</p> <h2> Other improvements worth knowing </h2> <ul> <li> <strong>MySQL DELETE…JOIN</strong> now correctly applies <code>ORDER BY</code> and <code>LIMIT</code> β€” previously silently ignored</li> <li> <strong>HTTP pool concurrency</strong> defaults to <code>2</code> instead of <code>null</code> β€” pooled requests are now actually concurrent out of the box</li> <li> <strong>Symfony 7.4 and 8.0</strong> support</li> </ul> <h2> How to upgrade </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"require"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"php"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^8.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"laravel/framework"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^13.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer update php artisan config:clear php artisan cache:clear php artisan view:clear </code></pre> </div> <p>Make sure PHP 8.3 is running first. Test on staging before touching production.</p> <h2> Full feature breakdown </h2> <p>I wrote a more detailed version with upgrade notes and FAQ on my blog:</p> <p>πŸ‘‰ <a href="https://pola5h.github.io/blog/laravel-13-new-features/" rel="noopener noreferrer">Laravel 13 New Features: Everything You Need to Know</a></p> <p>Which feature are you most excited about? PHP Attributes are the headline but I think <code>Cache::touch()</code> is the one that will quietly save the most performance at scale. Drop your thoughts below.</p> webdev programming laravel php The Laravel Sanctum setup that actually works (and what trips most people up) K. Polash Sun, 08 Mar 2026 06:47:31 +0000 https://forem.com/polash/the-laravel-sanctum-setup-that-actually-works-and-what-trips-most-people-up-m3e https://forem.com/polash/the-laravel-sanctum-setup-that-actually-works-and-what-trips-most-people-up-m3e <p>I've set up Sanctum in probably 8 or 9 Laravel projects at this point β€” payroll systems, SaaS tools, e-commerce APIs. Every time I onboard a junior dev or review someone's code, I see the same 3-4 mistakes repeated. So here's the setup that works, plus the exact things that will silently break it.</p> <h2> First: what Sanctum actually does </h2> <p>Sanctum issues a plain-text token, stores a hashed version in your <code>personal_access_tokens</code> table, and validates it on every request with a database lookup. That's it. No JWT, no signatures, no decoding β€” just a DB row.</p> <p>This is why token revocation is trivially easy with Sanctum and nightmarish with JWT. Delete the row, the token is dead instantly.</p> <h2> The setup (Laravel 12) </h2> <p><strong>Step 1 β€” Install (Laravel 10 and below only)</strong></p> <p>Laravel 11 and 12 ship with Sanctum already. If you're on 10:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer require laravel/sanctum php artisan vendor:publish <span class="nt">--provider</span><span class="o">=</span><span class="s2">"Laravel</span><span class="se">\S</span><span class="s2">anctum</span><span class="se">\S</span><span class="s2">anctumServiceProvider"</span> php artisan migrate </code></pre> </div> <p><strong>Step 2 β€” Add the trait to your User model</strong></p> <p>This is the one people forget most often:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">Laravel\Sanctum\HasApiTokens</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">User</span> <span class="kd">extends</span> <span class="nc">Authenticatable</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">HasApiTokens</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Without this, <code>createToken()</code> doesn't exist on your model, and you'll get a cryptic error.</p> <p><strong>Step 3 β€” Routes</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Route</span><span class="o">::</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'v1'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Public</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'auth/register'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'register'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'auth/login'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">]);</span> <span class="c1">// Protected</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'auth:sanctum'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'auth/logout'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'logout'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'auth/me'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'me'</span><span class="p">]);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Step 4 β€” The AuthController</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">login</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">validate</span><span class="p">([</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'required|email'</span><span class="p">,</span> <span class="s1">'password'</span> <span class="o">=&gt;</span> <span class="s1">'required'</span><span class="p">,</span> <span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">attempt</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">only</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'password'</span><span class="p">)))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Invalid credentials'</span><span class="p">],</span> <span class="mi">401</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">createToken</span><span class="p">(</span><span class="s1">'auth_token'</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">plainTextToken</span><span class="p">;</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'user'</span> <span class="o">=&gt;</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">user</span><span class="p">(),</span> <span class="s1">'token'</span> <span class="o">=&gt;</span> <span class="nv">$token</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">logout</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">currentAccessToken</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Logged out'</span><span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Step 5 β€” Send the token</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Authorization: Bearer 1|yourtokenhere... </code></pre> </div> <p>Note the format β€” <code>1|randomstring</code>. The number is the token ID in the database. Send the full string.</p> <h2> The 4 things that will silently break your setup </h2> <p><strong>1. Forgetting <code>HasApiTokens</code> on the User model</strong><br> You'll get a "method not found" error on <code>createToken()</code>. Always check this first.</p> <p><strong>2. Sending the token wrong</strong><br> It must be <code>Authorization: Bearer YOUR_TOKEN</code>. Not a query param, not a cookie, not <code>Token YOUR_TOKEN</code>. Bearer, exactly.</p> <p><strong>3. Not running migrations</strong><br> The <code>personal_access_tokens</code> table doesn't exist yet. Run <code>php artisan migrate</code> and confirm the table is there.</p> <p><strong>4. CORS blocking your frontend</strong><br> Add your frontend URL to <code>config/cors.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'allowed_origins'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'https://yourfrontend.com'</span><span class="p">],</span> <span class="s1">'supports_credentials'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> </code></pre> </div> <h2> Revoking tokens </h2> <p>This is where Sanctum shines vs JWT:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Logout current device</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">currentAccessToken</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> <span class="c1">// Logout all devices</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">tokens</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> </code></pre> </div> <p>With JWT, you'd need a denylist and extra infrastructure. With Sanctum, it's one line.</p> <h2> Setting token expiry </h2> <p>In <code>config/sanctum.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Expire after 60 days (value is in minutes)</span> <span class="s1">'expiration'</span> <span class="o">=&gt;</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span><span class="p">,</span> <span class="c1">// Never expire</span> <span class="s1">'expiration'</span> <span class="o">=&gt;</span> <span class="kc">null</span><span class="p">,</span> </code></pre> </div> <h2> Should you use Sanctum or JWT? </h2> <p>Use <strong>Sanctum</strong> if you're building an API for your own app (SPA, mobile). Use <strong>JWT</strong> only if you need stateless cross-service auth in a microservices setup. For 90% of Laravel projects, Sanctum is the right call.</p> <p>I wrote a full breakdown here: <a href="https://pola5h.github.io/blog/laravel-api-authentication-jwt-sanctum/" rel="noopener noreferrer">Does Laravel Sanctum use JWT? β†’</a></p> <h2> Full tutorial </h2> <p>If you want the complete version with register, me endpoint, token abilities, and more β€” I wrote it up here:</p> <p>πŸ‘‰ <a href="https://pola5h.github.io/blog/laravel-sanctum-tutorial/" rel="noopener noreferrer">Laravel Sanctum Setup Tutorial (2026)</a></p> <h2> Already using Sanctum? </h2> <p>I built a <a href="https://pola5h.github.io/laravel-api-starter-kit/" rel="noopener noreferrer">Laravel API Starter Kit</a> with Sanctum pre-configured β€” auth, roles, pagination, API versioning all included. Saves a few hours on every new project. $19 on Gumroad if you want to check it out.</p> <p>What issues have you run into with Sanctum? Drop them below β€” happy to help debug.</p> webdev laravel php tutorial blade-flags gives you SVG rectangles. This gives you flags users actually recognize. K. Polash Fri, 06 Mar 2026 03:57:03 +0000 https://forem.com/polash/blade-flags-gives-you-svg-rectangles-this-gives-you-flags-users-actually-recognize-3ca1 https://forem.com/polash/blade-flags-gives-you-svg-rectangles-this-gives-you-flags-users-actually-recognize-3ca1 <p>There's already a popular Laravel flag package. <code>outhebox/blade-flags</code> has 663k installs, and it works fine.</p> <p>So why did I build another one?</p> <p>Because SVG rectangular flags and emoji flags solve <strong>different problems</strong> β€” and most Laravel apps actually need the emoji version.</p> <h2> The difference nobody talks about </h2> <p>When your user sees this in your app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;x-flag-icon type="country" code="bd" width="24px" /&gt; </code></pre> </div> <p>They see: πŸ‡§πŸ‡©</p> <p>That's the flag they see in WhatsApp. In Twitter. In their phone keyboard. In every modern app, they use it daily. Their brain recognizes it in zero milliseconds.</p> <p><code>blade-flags</code> renders a tiny rectangular SVG of the Bangladeshi flag β€” accurate, technically correct, and completely unfamiliar to most users. It looks like something from a government website.</p> <p><strong>Emoji flags match the visual language of the modern web. SVG flags don't.</strong></p> <h2> When does this actually matter? </h2> <p>If you're building a <strong>developer tool or admin dashboard</strong> β€” use <code>blade-flags</code>. SVG flags look sharp and professional at small sizes in dense UIs.</p> <p>If you're building anything <strong>user-facing</strong> β€” locale switchers, user profiles, country selectors, chat apps, language pickers β€” use Twemoji flags. Users recognize them instantly. That recognition reduces friction.</p> <p>The mental model test: your user doesn't think "ISO 3166-1 alpha-2 code for Bangladesh." They think πŸ‡§πŸ‡©. Build for that.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer require pola5h/laravel-flags </code></pre> </div> <p>Auto-registered on Laravel 5.5+. No config publishing, no setup. Done.</p> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{{-- Country flag --}} &lt;x-flag-icon type="country" code="us" width="24px" height="24px" /&gt; {{-- Language flag --}} &lt;x-flag-icon type="language" code="bn" width="24px" height="24px" /&gt; </code></pre> </div> <p>Two parameters that matter: <code>type</code> (country or language) and <code>code</code> (ISO 2-letter code). Width and height are optional β€” they default to auto.</p> <h2> Country flags </h2> <p>Any ISO 3166-1 alpha-2 code works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;x-flag-icon type="country" code="us" width="20px" /&gt; πŸ‡ΊπŸ‡Έ United States &lt;x-flag-icon type="country" code="gb" width="20px" /&gt; πŸ‡¬πŸ‡§ United Kingdom &lt;x-flag-icon type="country" code="bd" width="20px" /&gt; πŸ‡§πŸ‡© Bangladesh &lt;x-flag-icon type="country" code="de" width="20px" /&gt; πŸ‡©πŸ‡ͺ Germany &lt;x-flag-icon type="country" code="jp" width="20px" /&gt; πŸ‡―πŸ‡΅ Japan </code></pre> </div> <p>Dynamic usage from a model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;x-flag-icon type="country" code="{{ $user-&gt;country_code }}" width="20px" /&gt; </code></pre> </div> <p>250+ countries supported.</p> <h2> Language flags </h2> <p>Language flags map to the country most associated with that language. Bengali β†’ Bangladesh, Arabic β†’ Saudi Arabia, French β†’ France.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;x-flag-icon type="language" code="en" width="20px" /&gt; English &lt;x-flag-icon type="language" code="bn" width="20px" /&gt; Bengali &lt;x-flag-icon type="language" code="ar" width="20px" /&gt; Arabic &lt;x-flag-icon type="language" code="zh" width="20px" /&gt; Chinese &lt;x-flag-icon type="language" code="fr" width="20px" /&gt; French </code></pre> </div> <p>Dynamic with the current app locale:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;x-flag-icon type="language" code="{{ app()-&gt;getLocale() }}" width="20px" /&gt; </code></pre> </div> <p>100+ languages supported.</p> <h2> The use case I built this for: locale switchers </h2> <p>This is where the difference is most visible. A locale switcher with SVG flags feels like a dropdown from 2012. With Twemoji flags it feels native β€” like switching language on your iPhone.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@foreach ($availableLocales as $locale) &lt;a href="{{ route('locale.switch', $locale) }}" class="{{ app()-&gt;getLocale() === $locale ? 'active' : '' }}"&gt; &lt;x-flag-icon type="language" code="{{ $locale }}" width="18px" height="18px" /&gt; {{ strtoupper($locale) }} &lt;/a&gt; @endforeach </code></pre> </div> <p>Clean, familiar, instant recognition.</p> <h2> Side-by-side comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th><code>pola5h/laravel-flags</code></th> <th><code>outhebox/blade-flags</code></th> </tr> </thead> <tbody> <tr> <td>Flag style</td> <td>Twemoji emoji πŸ‡§πŸ‡©</td> <td>SVG rectangular</td> </tr> <tr> <td>Best for</td> <td>User-facing UI</td> <td>Admin/dev tools</td> </tr> <tr> <td>Countries</td> <td>250+</td> <td>300+</td> </tr> <tr> <td>Language flags</td> <td>βœ… Yes</td> <td>❌ No</td> </tr> <tr> <td>Zero config</td> <td>βœ… Yes</td> <td>βœ… Yes</td> </tr> <tr> <td>License</td> <td>MIT</td> <td>MIT</td> </tr> <tr> <td>Installs</td> <td>New</td> <td>663k</td> </tr> </tbody> </table></div> <p>The one thing <code>blade-flags</code> doesn't have at all: <strong>language flags</strong>. If you need to show a flag for Bengali, Arabic, or French β€” not the country, but the language β€” this package is currently your only option in the Laravel ecosystem.</p> <h2> Links </h2> <ul> <li>πŸ“¦ <strong>GitHub</strong>: <a href="https://github.com/Pola5h/FlagIcons" rel="noopener noreferrer">github.com/Pola5h/FlagIcons</a> </li> <li>🌐 <strong>Docs &amp; demo</strong>: <a href="https://pola5h.github.io/FlagIcons/" rel="noopener noreferrer">pola5h.github.io/FlagIcons</a> </li> <li>πŸ“₯ <strong>Install</strong>: <code>composer require pola5h/laravel-flags</code> </li> </ul> <p>Both packages solve real problems. Use SVG flags when precision matters for developers. Use Twemoji flags when recognition matters for users.</p> <p>If you're building something user-facing, give it a try β€” it's free, MIT licensed, and takes 30 seconds to add to any Laravel project.</p> <p>What are you building it into? I'd love to see it in the comments.</p> webdev laravel php opensource How I Structure Every Laravel REST API Project K. Polash Thu, 05 Mar 2026 15:14:53 +0000 https://forem.com/polash/how-i-structure-every-laravel-rest-api-project-33n1 https://forem.com/polash/how-i-structure-every-laravel-rest-api-project-33n1 <p>Every time I start a new Laravel API project, I used to spend half a day on the same setup:</p> <ul> <li>Sanctum authentication</li> <li>Spatie roles &amp; permissions</li> <li>Consistent JSON error responses</li> <li>API versioning</li> <li>Rate limiting</li> </ul> <p>After doing this on project after project, I finally settled on a structure that works every time. Here's exactly how I do it.</p> <h2> 1. Consistent JSON Response Format </h2> <p>The first thing I set up is a trait that forces every endpoint to return the same JSON structure. Nothing is more annoying than an API that returns different formats for success vs errors.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">App\Traits</span><span class="p">;</span> <span class="kd">trait</span> <span class="nc">ApiResponseTrait</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">successResponse</span><span class="p">(</span><span class="nv">$data</span><span class="p">,</span> <span class="nv">$message</span> <span class="o">=</span> <span class="s1">'Success'</span><span class="p">,</span> <span class="nv">$statusCode</span> <span class="o">=</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="nv">$message</span><span class="p">,</span> <span class="s1">'data'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">,</span> <span class="s1">'meta'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'version'</span> <span class="o">=&gt;</span> <span class="s1">'v1'</span><span class="p">,</span> <span class="s1">'timestamp'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">],</span> <span class="p">],</span> <span class="nv">$statusCode</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">errorResponse</span><span class="p">(</span><span class="nv">$message</span> <span class="o">=</span> <span class="s1">'Error'</span><span class="p">,</span> <span class="nv">$statusCode</span> <span class="o">=</span> <span class="mi">400</span><span class="p">,</span> <span class="nv">$errors</span> <span class="o">=</span> <span class="p">[])</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="nv">$message</span><span class="p">,</span> <span class="s1">'errors'</span> <span class="o">=&gt;</span> <span class="nv">$errors</span><span class="p">,</span> <span class="s1">'meta'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'version'</span> <span class="o">=&gt;</span> <span class="s1">'v1'</span><span class="p">,</span> <span class="s1">'timestamp'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">],</span> <span class="p">],</span> <span class="nv">$statusCode</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">notFoundResponse</span><span class="p">(</span><span class="nv">$message</span> <span class="o">=</span> <span class="s1">'Resource not found'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">errorResponse</span><span class="p">(</span><span class="nv">$message</span><span class="p">,</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">unauthorizedResponse</span><span class="p">(</span><span class="nv">$message</span> <span class="o">=</span> <span class="s1">'Unauthorized'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">errorResponse</span><span class="p">(</span><span class="nv">$message</span><span class="p">,</span> <span class="mi">401</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">validationErrorResponse</span><span class="p">(</span><span class="nv">$errors</span><span class="p">,</span> <span class="nv">$message</span> <span class="o">=</span> <span class="s1">'Validation failed'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">errorResponse</span><span class="p">(</span><span class="nv">$message</span><span class="p">,</span> <span class="mi">422</span><span class="p">,</span> <span class="nv">$errors</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Every controller uses this trait. No more inconsistent responses.</p> <h2> 2. Global Exception Handler </h2> <p>Instead of handling exceptions in every controller, I catch everything in one place.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">App\Exceptions</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Auth\AuthenticationException</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Database\Eloquent\ModelNotFoundException</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Foundation\Exceptions\Handler</span> <span class="k">as</span> <span class="nc">ExceptionHandler</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Validation\ValidationException</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Symfony\Component\HttpKernel\Exception\NotFoundHttpException</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Throwable</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">Handler</span> <span class="kd">extends</span> <span class="nc">ExceptionHandler</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">render</span><span class="p">(</span><span class="nv">$request</span><span class="p">,</span> <span class="kt">Throwable</span> <span class="nv">$exception</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">expectsJson</span><span class="p">())</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$exception</span> <span class="k">instanceof</span> <span class="nc">ModelNotFoundException</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Resource not found'</span><span class="p">,</span> <span class="p">],</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$exception</span> <span class="k">instanceof</span> <span class="nc">AuthenticationException</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Unauthenticated'</span><span class="p">,</span> <span class="p">],</span> <span class="mi">401</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$exception</span> <span class="k">instanceof</span> <span class="nc">ValidationException</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Validation failed'</span><span class="p">,</span> <span class="s1">'errors'</span> <span class="o">=&gt;</span> <span class="nv">$exception</span><span class="o">-&gt;</span><span class="nf">errors</span><span class="p">(),</span> <span class="p">],</span> <span class="mi">422</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$exception</span> <span class="k">instanceof</span> <span class="nc">NotFoundHttpException</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span> <span class="s1">'success'</span> <span class="o">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="s1">'message'</span> <span class="o">=&gt;</span> <span class="s1">'Route not found'</span><span class="p">,</span> <span class="p">],</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="k">parent</span><span class="o">::</span><span class="nf">render</span><span class="p">(</span><span class="nv">$request</span><span class="p">,</span> <span class="nv">$exception</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now every exception returns clean JSON automatically β€” no more ugly HTML error pages in your API.</p> <h2> 3. API Versioning Structure </h2> <p>I always separate routes and controllers by version. This way future changes don't break existing clients.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app/Http/Controllers/Api/ β”œβ”€β”€ V1/ β”‚ β”œβ”€β”€ AuthController.php β”‚ └── UserController.php └── V2/ ← ready for the future </code></pre> </div> <p>In <code>routes/api.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">App\Http\Controllers\Api\V1\AuthController</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Http\Controllers\Api\V1\UserController</span><span class="p">;</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'v1'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="c1">// Public auth routes</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">prefix</span><span class="p">(</span><span class="s1">'auth'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'throttle:auth'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'register'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'register'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'login'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'login'</span><span class="p">]);</span> <span class="p">});</span> <span class="c1">// Protected routes</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">middleware</span><span class="p">(</span><span class="s1">'auth:sanctum'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">group</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="s1">'auth/logout'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'logout'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'auth/me'</span><span class="p">,</span> <span class="p">[</span><span class="nc">AuthController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'me'</span><span class="p">]);</span> <span class="nc">Route</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'users'</span><span class="p">,</span> <span class="p">[</span><span class="nc">UserController</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'index'</span><span class="p">]);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Clean, versioned, easy to extend.</p> <h2> 4. Sanctum Authentication </h2> <p>I use Laravel Sanctum for all API authentication. Here's a clean AuthController:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">App\Http\Controllers\Api\V1</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Http\Controllers\Controller</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Http\Requests\Api\LoginRequest</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Http\Requests\Api\RegisterRequest</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Models\User</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Traits\ApiResponseTrait</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Http\Request</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\Facades\Auth</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\Facades\Hash</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">AuthController</span> <span class="kd">extends</span> <span class="nc">Controller</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">ApiResponseTrait</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">register</span><span class="p">(</span><span class="kt">RegisterRequest</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">User</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">,</span> <span class="s1">'password'</span> <span class="o">=&gt;</span> <span class="nc">Hash</span><span class="o">::</span><span class="nf">make</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="n">password</span><span class="p">),</span> <span class="p">]);</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">assignRole</span><span class="p">(</span><span class="s1">'user'</span><span class="p">);</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">createToken</span><span class="p">(</span><span class="s1">'api-token'</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">plainTextToken</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">successResponse</span><span class="p">([</span> <span class="s1">'user'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="p">,</span> <span class="s1">'token'</span> <span class="o">=&gt;</span> <span class="nv">$token</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'Registration successful'</span><span class="p">,</span> <span class="mi">201</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">login</span><span class="p">(</span><span class="kt">LoginRequest</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nc">Auth</span><span class="o">::</span><span class="nf">attempt</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">only</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="s1">'password'</span><span class="p">)))</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">unauthorizedResponse</span><span class="p">(</span><span class="s1">'Invalid credentials'</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$user</span> <span class="o">=</span> <span class="nc">Auth</span><span class="o">::</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">createToken</span><span class="p">(</span><span class="s1">'api-token'</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">plainTextToken</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">successResponse</span><span class="p">([</span> <span class="s1">'user'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="p">,</span> <span class="s1">'token'</span> <span class="o">=&gt;</span> <span class="nv">$token</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'Login successful'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">logout</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">currentAccessToken</span><span class="p">()</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">successResponse</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="s1">'Logged out successfully'</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">me</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">successResponse</span><span class="p">(</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">load</span><span class="p">(</span><span class="s1">'roles'</span><span class="p">,</span> <span class="s1">'permissions'</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 5. Spatie Roles &amp; Permissions </h2> <p>I always use <code>spatie/laravel-permission</code> for roles. Here's my seeder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="kn">namespace</span> <span class="nn">Database\Seeders</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Database\Seeder</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Spatie\Permission\Models\Permission</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Spatie\Permission\Models\Role</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">RolePermissionSeeder</span> <span class="kd">extends</span> <span class="nc">Seeder</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">run</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="c1">// Create permissions</span> <span class="nv">$permissions</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'view users'</span><span class="p">,</span> <span class="s1">'edit users'</span><span class="p">,</span> <span class="s1">'delete users'</span><span class="p">,</span> <span class="s1">'manage roles'</span><span class="p">,</span> <span class="p">];</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$permissions</span> <span class="k">as</span> <span class="nv">$permission</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Permission</span><span class="o">::</span><span class="nf">firstOrCreate</span><span class="p">([</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$permission</span><span class="p">]);</span> <span class="p">}</span> <span class="c1">// Create roles and assign permissions</span> <span class="nv">$admin</span> <span class="o">=</span> <span class="nc">Role</span><span class="o">::</span><span class="nf">firstOrCreate</span><span class="p">([</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'admin'</span><span class="p">]);</span> <span class="nv">$admin</span><span class="o">-&gt;</span><span class="nf">syncPermissions</span><span class="p">(</span><span class="nv">$permissions</span><span class="p">);</span> <span class="nv">$editor</span> <span class="o">=</span> <span class="nc">Role</span><span class="o">::</span><span class="nf">firstOrCreate</span><span class="p">([</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'editor'</span><span class="p">]);</span> <span class="nv">$editor</span><span class="o">-&gt;</span><span class="nf">syncPermissions</span><span class="p">([</span><span class="s1">'view users'</span><span class="p">,</span> <span class="s1">'edit users'</span><span class="p">]);</span> <span class="nc">Role</span><span class="o">::</span><span class="nf">firstOrCreate</span><span class="p">([</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'user'</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Run <code>php artisan db:seed --class=RolePermissionSeeder</code> and you have a full role system ready.</p> <h2> 6. Rate Limiting </h2> <p>In <code>app/Providers/RouteServiceProvider.php</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">RateLimiter</span><span class="o">::</span><span class="k">for</span><span class="p">(</span><span class="s1">'api'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Limit</span><span class="o">::</span><span class="nf">perMinute</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">by</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">?-&gt;</span><span class="n">id</span> <span class="o">?:</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">());</span> <span class="p">});</span> <span class="nc">RateLimiter</span><span class="o">::</span><span class="k">for</span><span class="p">(</span><span class="s1">'auth'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Limit</span><span class="o">::</span><span class="nf">perMinute</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">by</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">());</span> <span class="p">});</span> </code></pre> </div> <p>Stricter limits on auth routes to prevent brute force. General API routes get 60 requests per minute.</p> <h2> The Result </h2> <p>Every response from my API looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"admin"</span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"view users"</span><span class="p">,</span><span class="w"> </span><span class="s2">"edit users"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"meta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-03-05T10:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Clean, consistent, predictable. Every endpoint. Every time.</p> <h2> Wrapping Up </h2> <p>This structure took me several projects to settle on. The key principles are:</p> <ul> <li> <strong>One response format</strong> β€” use a trait, enforce it everywhere</li> <li> <strong>One place for exceptions</strong> β€” global handler, not per-controller</li> <li> <strong>Version from day one</strong> β€” you'll thank yourself later</li> <li> <strong>Roles from day one</strong> β€” adding them later is painful</li> </ul> <p>If you don't want to set all this up manually, I packaged everything into a ready-to-use starter kit β€” migrations, seeders, controllers, Postman collection, and README all included.</p> <p>πŸ‘‰ <a href="https://pola5h.github.io/laravel-api-starter-kit/" rel="noopener noreferrer">Laravel API Starter Kit</a></p> <p><em>What does your Laravel API structure look like? I'd love to hear how others approach this in the comments.</em></p> laravel webdev php api