The Tourify API is a JSON REST API built with Laravel 13 and secured by Laravel Sanctum. This page covers the base URL, response conventions, authentication mechanism, endpoint index, HTTP status codes, and CORS policy.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/astrxnomo/tourify/llms.txt
Use this file to discover all available pages before exploring further.
Base URL
| Environment | Base URL |
|---|---|
| Development | http://localhost:8000/api |
| Production | https://<your-server>/api |
The API does not use a versioning prefix — all routes are mounted directly under
/api/. For example, the login endpoint is /api/auth/login, not /api/v1/auth/login.Response Format
Every response from the Tourify API is JSON. Successful responses return the requested resource or a confirmation message directly at the top level. There is no universaldata wrapper — the shape varies per endpoint.
Single resource example
Authentication
Tourify uses Laravel Sanctum bearer tokens for authentication. Tokens are plain-text strings tied to a specific user and device session. To authenticate a request, include the token in theAuthorization header:
POST /api/auth/register or POST /api/auth/login. Both endpoints return a user object and a token string.
See the Authentication page for the full token lifecycle.
Endpoint Categories
Public — No authentication required
These endpoints are open to all clients without any token:| Resource | Endpoints |
|---|---|
| Auth | POST /api/auth/register, POST /api/auth/login, POST /api/auth/forgot-password |
| Cities | GET /api/cities, GET /api/cities/{city} |
| Categories | GET /api/categories, GET /api/categories/{category} |
| Places | GET /api/places, GET /api/places/{place} |
| Events | GET /api/events, GET /api/events/{event} |
Protected — Authorization: Bearer {token} required
These endpoints require a valid Sanctum token. Requests without a token or with an invalid token receive HTTP 401 Unauthenticated.
| Resource | Endpoints |
|---|---|
| Auth (user) | POST /api/auth/logout, GET /api/auth/me |
| Favorites | GET /api/favorites, POST /api/favorites, DELETE /api/favorites/{favorite}, DELETE /api/favorites |
| Reviews | POST /api/places/{place}/reviews, POST /api/events/{event}/reviews |
| Registrations | GET /api/my/registrations, POST /api/events/{event}/register, DELETE /api/events/{event}/register |
| Notifications | GET /api/notifications, PATCH /api/notifications/read-all, PATCH /api/notifications/{notification}/read |
| Push Token | POST /api/push-token |
Resource Groups
Auth
Register, login, logout, get current user, and forgot-password.
Cities
List and retrieve tourism cities.
Categories
List and retrieve place/event categories.
Places
Browse and retrieve points of interest.
Events
Discover and retrieve tourism events.
Favorites
Save and manage the authenticated user’s favorites.
Reviews
Submit reviews for places and events.
Registrations
Register for and manage event attendance.
Notifications
Retrieve and mark in-app notifications as read.
HTTP Status Codes
| Code | Meaning | When it occurs |
|---|---|---|
200 | OK | Successful GET, PATCH, or DELETE request. |
201 | Created | Resource successfully created (e.g., POST /api/auth/register). |
401 | Unauthenticated | Missing, invalid, or revoked bearer token on a protected endpoint. |
403 | Forbidden | Token is valid but the user lacks permission for the requested action. |
404 | Not Found | The requested resource ID does not exist. |
422 | Unprocessable Entity | Request payload failed validation. See the error body below. |
Validation Errors (422)
When a request fails Laravel’s validation rules, the API returnsHTTP 422 with a JSON body containing a human-readable message and an errors object that maps each invalid field to an array of error strings.
The
errors object always uses the request field name as the key. Iterate over errors in your client to surface per-field validation messages in the UI.CORS
The API is configured to accept requests from any origin (allowed_origins: *) on all HTTP methods and headers. This means the Expo app — running on any local IP during development — can reach the API without additional CORS configuration changes.