Skip to main content
The ElCoco DMI Quotation Platform uses Laravel Breeze for session-based authentication and Laravel Sanctum for token-based API authentication. Choose the method that fits your client type.

Session auth

For browser-based SPAs and the admin panel. Login via form and use Laravel session cookies.

Bearer token auth

For programmatic API access to /api/v1/* endpoints. Pass a Sanctum personal access token.

Session-based authentication

Session auth is used by the admin panel and any browser SPA that targets web routes under the auth + verified middleware group.

Login

email
string
required
The user’s email address.
password
string
required
The user’s password.
remember
boolean
When true, the session persists beyond the browser session via a long-lived remember-me cookie.
Login is rate-limited to 5 attempts per email/IP combination. Subsequent attempts are locked out until the rate-limit window expires.
curl --request POST \
  --url https://your-app.test/login \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --data '{
    "email": "admin@example.com",
    "password": "secret"
  }'
On success the server sets a session cookie and redirects to /dashboard. A 422 is returned when credentials are invalid or rate limited.

Logout

POST /logout invalidates the current session and regenerates the CSRF token.
cURL
curl --request POST \
  --url https://your-app.test/logout \
  --header 'X-CSRF-TOKEN: <token>' \
  --cookie 'laravel_session=<session_cookie>'

CSRF protection for SPA requests

Before making any state-changing request (POST, PATCH, PUT, DELETE) from a JavaScript SPA, fetch the CSRF cookie first. This sets the XSRF-TOKEN cookie that Axios/Fetch reads automatically.
cURL (CSRF cookie)
curl --request GET \
  --url https://your-app.test/sanctum/csrf-cookie \
  --header 'Accept: application/json'
The response sets the XSRF-TOKEN cookie. Include it as the X-XSRF-TOKEN header (or let Axios handle it automatically) on every subsequent mutating request.
1

Fetch the CSRF cookie

Send GET /sanctum/csrf-cookie. The server responds with a 204 and sets the XSRF-TOKEN cookie.
2

Submit the login form

Send POST /login with email and password. Include the X-XSRF-TOKEN header.
3

Use the session cookie

All subsequent requests are authenticated via the laravel_session cookie. Keep credentials: 'include' on every fetch call.

Bearer token authentication

Sanctum personal access tokens authenticate requests to the GET|POST /api/v1/* routes. Tokens are stored in the personal_access_tokens table.

Obtaining a token

Create a token programmatically via the createToken method on the User model (typically done in a one-time setup script or a dedicated token-issuance endpoint your team controls):
PHP (token creation)
$token = $user->createToken('api-client')->plainTextToken;
// Store this value — it is only shown once.
The plain-text token value is only available immediately after creation. Subsequent reads from the database return only the hashed form. Store it securely.

Making authenticated API requests

Pass the token in the Authorization header as a Bearer token on every request to /api/v1/*. 
curl --request GET \
  --url https://your-app.test/api/v1/quotes/statistics \
  --header 'Authorization: Bearer <your-token>' \
  --header 'Accept: application/json'

Rate limiting

All auth:sanctum protected endpoints under /api/v1/* are throttled at 30 requests per minute per token. Exceeding this limit returns a 429 Too Many Requests response.

Route summary

MethodPathMiddlewarePurpose
GET/sanctum/csrf-cookieSet CSRF cookie for SPA
POST/loginguestAuthenticate and start session
POST/logoutauthInvalidate session
GET/api/v1/*auth:sanctum, throttle:30,1Bearer token protected API
Web admin routes (/admin/cotizaciones/*, /bloques/*) require the auth and verified middleware — the logged-in user must have a verified email address before those routes are accessible.

Build docs developers (and LLMs) love

Get started for freeTalk to us