Smart Enviro Backend uses two completely separate authentication mechanisms depending on the caller. Mobile apps and web dashboards authenticate with Laravel Sanctum Bearer tokens — short-lived secrets tied to a user account and passed in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/GaelCeballos/Smart_Enviro_Backend/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. ESP32 microcontrollers authenticate with a static device_token string baked into the firmware at provisioning time and passed as a query parameter or request body field. These two systems never intersect: device tokens cannot call user-protected endpoints, and Sanctum tokens cannot be used to submit sensor data.
Mobile/Web Client Authentication (Laravel Sanctum)
Obtaining a Token
Send aPOST request to /api/login with valid account credentials. On success the API creates a Sanctum personal access token, stores its plain-text value in users.current_token, and returns it in the response body. You must save this token securely on the client — it cannot be retrieved again after the response is consumed.
200 OK):
Single-Session Enforcement
Smart Enviro Backend enforces one active session per user account. If a user is already logged in (i.e.users.current_token is non-null) and a second login attempt is made, the API returns 409 Conflict without issuing a new token.
DELETE /api/logout from the active session, which clears current_token.
Using the Token
Pass the token as a Bearer credential in theAuthorization header on every request to a protected endpoint:
auth:sanctum middleware validates the token, resolves the authenticated user, and makes that user available to the controller via $request->user().
Revoking the Token (Logout)
CallDELETE /api/logout while authenticated. The API deletes the current Sanctum access token record and sets users.current_token to null, immediately invalidating the session everywhere.
200 OK):
Registration
New accounts are created viaPOST /api/register. Registration does not issue a token — the user must subsequently call /api/login to obtain one.
201 Created):
Device Authentication (device_token)
ESP32 devices do not use Sanctum. Each device is provisioned with a 64-character unique string stored in the devices.device_token column. The firmware presents this token on every API call.
How It Works
Provision the device
At manufacturing or first setup, a
device_token is generated (64 characters, unique across all devices) and written to the devices table. The same value is flashed into the firmware.Sync on boot
The device calls
GET /api/device/sync, passing device_token as a query parameter. The API looks up the token, confirms the device is active, updates last_seen_at and is_online, and returns the current command and config properties.Sync Endpoint
is_active = false), the API responds:
Sensor Data Endpoint
Public Endpoints (No Auth Required)
These three endpoints are accessible without any token:| Method | URI | Description |
|---|---|---|
POST | /api/login | Authenticate a user and obtain a Sanctum Bearer token |
POST | /api/register | Create a new user account |
GET | /api/device/sync | ESP32 sync endpoint — device_token in query param |
Protected Endpoints (Sanctum Bearer Token Required)
All of the following endpoints require a validAuthorization: Bearer {token} header. Requests without a token or with an invalid/revoked token receive 401 Unauthorized.
| Method | URI | Description |
|---|---|---|
GET | /api/user | Return the currently authenticated user object |
DELETE | /api/logout | Revoke the current token and clear the active session |
GET | /api/my-devices | List all devices owned by the authenticated user |
GET | /api/my-devices/{id} | Get a single owned device with its properties |
POST | /api/my-devices/{id}/toggle | Toggle the device’s current_state (ON/OFF/STANDBY) |
PUT | /api/my-devices/{id}/properties | Update one or more device properties (key-value config) |
GET | /api/devices/available | List unowned devices available to be claimed |
POST | /api/devices/{id}/add | Claim an available device and associate it with the user |
GET | /api/sensor-data/history | Query time-series sensor readings with filters |
GET /api/user is a single-line route closure defined at the top of routes/api.php. It returns the full authenticated User model object (with password, remember_token, and current_token excluded by the model’s #[Hidden] attribute).