Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/astrxnomo/tourify/llms.txt

Use this file to discover all available pages before exploring further.

The Tourify API is a JSON REST API built with Laravel 13 and secured by Laravel Sanctum. This page covers the base URL, response conventions, authentication mechanism, endpoint index, HTTP status codes, and CORS policy.

Base URL

EnvironmentBase URL
Developmenthttp://localhost:8000/api
Productionhttps://<your-server>/api
The API does not use a versioning prefix — all routes are mounted directly under /api/. For example, the login endpoint is /api/auth/login, not /api/v1/auth/login.

Response Format

Every response from the Tourify API is JSON. Successful responses return the requested resource or a confirmation message directly at the top level. There is no universal data wrapper — the shape varies per endpoint. Single resource example
{
  "id": 1,
  "name": "María García",
  "email": "maria@example.com",
  "role_id": 2,
  "push_token": null,
  "created_at": "2024-06-01T10:00:00.000000Z",
  "updated_at": "2024-06-01T10:00:00.000000Z"
}
Collection example
[
  {
    "id": 1,
    "name": "Barcelona",
    "country": "Spain"
  },
  {
    "id": 2,
    "name": "Madrid",
    "country": "Spain"
  }
]
Action confirmation example
{
  "message": "Sesión cerrada correctamente."
}

Authentication

Tourify uses Laravel Sanctum bearer tokens for authentication. Tokens are plain-text strings tied to a specific user and device session. To authenticate a request, include the token in the Authorization header:
Authorization: Bearer {your-token}
Obtain a token by calling POST /api/auth/register or POST /api/auth/login. Both endpoints return a user object and a token string. See the Authentication page for the full token lifecycle.

Endpoint Categories

Public — No authentication required

These endpoints are open to all clients without any token:
ResourceEndpoints
AuthPOST /api/auth/register, POST /api/auth/login, POST /api/auth/forgot-password
CitiesGET /api/cities, GET /api/cities/{city}
CategoriesGET /api/categories, GET /api/categories/{category}
PlacesGET /api/places, GET /api/places/{place}
EventsGET /api/events, GET /api/events/{event}

Protected — Authorization: Bearer {token} required

These endpoints require a valid Sanctum token. Requests without a token or with an invalid token receive HTTP 401 Unauthenticated.
ResourceEndpoints
Auth (user)POST /api/auth/logout, GET /api/auth/me
FavoritesGET /api/favorites, POST /api/favorites, DELETE /api/favorites/{favorite}, DELETE /api/favorites
ReviewsPOST /api/places/{place}/reviews, POST /api/events/{event}/reviews
RegistrationsGET /api/my/registrations, POST /api/events/{event}/register, DELETE /api/events/{event}/register
NotificationsGET /api/notifications, PATCH /api/notifications/read-all, PATCH /api/notifications/{notification}/read
Push TokenPOST /api/push-token

Resource Groups

Auth

Register, login, logout, get current user, and forgot-password.

Cities

List and retrieve tourism cities.

Categories

List and retrieve place/event categories.

Places

Browse and retrieve points of interest.

Events

Discover and retrieve tourism events.

Favorites

Save and manage the authenticated user’s favorites.

Reviews

Submit reviews for places and events.

Registrations

Register for and manage event attendance.

Notifications

Retrieve and mark in-app notifications as read.

HTTP Status Codes

CodeMeaningWhen it occurs
200OKSuccessful GET, PATCH, or DELETE request.
201CreatedResource successfully created (e.g., POST /api/auth/register).
401UnauthenticatedMissing, invalid, or revoked bearer token on a protected endpoint.
403ForbiddenToken is valid but the user lacks permission for the requested action.
404Not FoundThe requested resource ID does not exist.
422Unprocessable EntityRequest payload failed validation. See the error body below.

Validation Errors (422)

When a request fails Laravel’s validation rules, the API returns HTTP 422 with a JSON body containing a human-readable message and an errors object that maps each invalid field to an array of error strings.
{
  "message": "The email field must be a valid email address. (and 1 more error)",
  "errors": {
    "email": [
      "The email field must be a valid email address."
    ],
    "password": [
      "The password field must be at least 8 characters."
    ]
  }
}
The errors object always uses the request field name as the key. Iterate over errors in your client to surface per-field validation messages in the UI.

CORS

The API is configured to accept requests from any origin (allowed_origins: *) on all HTTP methods and headers. This means the Expo app — running on any local IP during development — can reach the API without additional CORS configuration changes.

Build docs developers (and LLMs) love