Use this file to discover all available pages before exploring further.
Tourify authenticates mobile clients with Laravel Sanctum opaque bearer tokens. This page explains how tokens are issued, how to include them in requests, their lifetime, and how to revoke them.
Tourify’s API is protected by Laravel Sanctum using opaque, plain-text bearer tokens. The model is fully stateless from the API’s perspective:
Tokens are generated server-side and returned once — the server does not store the plain-text value.
The client is responsible for persisting the token securely and sending it on every protected request.
Each call to /api/auth/register or /api/auth/login creates a new, independent token — a user can hold multiple active tokens simultaneously (one per device or session).
Tokens have no expiration by default (expiration: null in config/sanctum.php). They remain valid until explicitly revoked via logout.
On mobile, store the token with Expo SecureStore — the Tourify app already does this. SecureStore encrypts values at rest using the device’s secure enclave, making it significantly safer than AsyncStorage.
Both the register and login endpoints return identical response shapes: a user object and a plain-text token string. Save the token immediately after receiving it.
If credentials are incorrect, the API returns HTTP 422 with errors.email set to "Las credenciales no son correctas.".
3
Store the token on the client
Save the token string to secure storage immediately after a successful register or login response. In the Tourify Expo app, this is handled with expo-secure-store:
import * as SecureStore from 'expo-secure-store';await SecureStore.setItemAsync('auth_token', token);
The following shell script logs in, captures the token from the JSON response, then calls the protected GET /api/auth/me endpoint to retrieve the authenticated user’s profile.
# Step 1: Log in and extract the tokenTOKEN=$(curl -s -X POST http://localhost:8000/api/auth/login \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ -d '{"email":"maria@example.com","password":"securepassword"}' \ | grep -o '"token":"[^"]*"' \ | cut -d'"' -f4)echo "Token: $TOKEN"# Step 2: Call a protected endpoint using the tokencurl -X GET http://localhost:8000/api/auth/me \ -H "Accept: application/json" \ -H "Authorization: Bearer $TOKEN"
Every call to /api/auth/register or /api/auth/login issues a brand-new token — it does not invalidate previous tokens. This allows a single user to be logged in on multiple devices at the same time, each holding its own independent token.
Device A → login → token_A (valid)Device B → login → token_B (valid, independent of token_A)
Tokens do not expire automatically — expiration is set to null in config/sanctum.php. A token remains valid indefinitely until it is explicitly revoked by calling POST /api/auth/logout with that token in the Authorization header.
POST /api/auth/logout deletes only the current access token (the one attached to the incoming request). Other tokens belonging to the same user on other devices are not affected.
Opaque plain-text Sanctum bearer token. Include this value in the Authorization: Bearer {token} header on all subsequent protected requests. Not returned by GET /api/auth/me.