Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ericcobasdev/careertrack-api/llms.txt

Use this file to discover all available pages before exploring further.

CareerTrack API uses Laravel Sanctum to secure access to protected endpoints. Sanctum issues a plain-text API token to each user upon registration or login. You include this token as a Bearer value in the Authorization header of every request that requires authentication — no cookies or session state involved.

How Authentication Works

The flow is straightforward:
  1. Register a new user account at POST /api/auth/register. The response includes a fresh API token.
  2. Log in an existing user at POST /api/auth/login. Again, the response returns a token.
  3. Attach the token to every subsequent request via the Authorization: Bearer <token> header.
  4. Protected routes — all /api/applications endpoints and /api/stats — validate the token using the auth:sanctum middleware. Requests without a valid token receive a 401 Unauthorized response.

Registering

Create a new user account and receive an API token in a single request. Endpoint: POST /api/auth/register

Request Parameters

name
string
required
The user’s full name. Maximum 255 characters.
email
string
required
A unique, valid email address for the account. Maximum 255 characters.
password
string
required
The account password. Minimum 8 characters.
password_confirmation
string
required
Must exactly match the password field. Used by Laravel’s confirmed validation rule.

Example Request

curl -s -X POST http://127.0.0.1:8000/api/auth/register \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "name": "Jane Doe",
    "email": "jane@example.com",
    "password": "secret123",
    "password_confirmation": "secret123"
  }'

Response 201 Created

{
  "user": {
    "id": 1,
    "name": "Jane Doe",
    "email": "jane@example.com",
    "created_at": "2024-05-01T10:00:00.000000Z",
    "updated_at": "2024-05-01T10:00:00.000000Z"
  },
  "token": "1|aBcDeFgHiJkLmNoPqRsTuVwXyZ123456"
}
user
object
The newly created user object, including id, name, email, created_at, and updated_at.
token
string
A plain-text Sanctum API token. Use this as the Bearer token for all subsequent authenticated requests.

Logging In

Authenticate an existing user and receive a new API token. Endpoint: POST /api/auth/login

Request Parameters

email
string
required
The email address associated with the account.
password
string
required
The account password.

Example Request

curl -s -X POST http://127.0.0.1:8000/api/auth/login \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "email": "jane@example.com",
    "password": "secret123"
  }'

Response 200 OK

{
  "user": {
    "id": 1,
    "name": "Jane Doe",
    "email": "jane@example.com",
    "created_at": "2024-05-01T10:00:00.000000Z",
    "updated_at": "2024-05-01T10:00:00.000000Z"
  },
  "token": "2|xYzAbCdEfGhIjKlMnOpQrStUvWx789012"
}
If the credentials are incorrect, the API returns a 422 Unprocessable Content response with a validation error on the email field:
{
  "message": "The provided credentials are incorrect.",
  "errors": {
    "email": ["The provided credentials are incorrect."]
  }
}

Using the Token

Include the token returned from registration or login in the Authorization header of every request to a protected endpoint.
# Store your token in an environment variable
export CAREERTRACK_TOKEN="1|aBcDeFgHiJkLmNoPqRsTuVwXyZ123456"

# Use it in any protected request
curl -s -X GET http://127.0.0.1:8000/api/applications \
  -H "Accept: application/json" \
  -H "Authorization: Bearer $CAREERTRACK_TOKEN"
The header format is always:
Authorization: Bearer YOUR_TOKEN
All /api/applications endpoints (GET, POST, PUT, DELETE) and GET /api/stats require a valid Bearer token. Requests made without an Authorization header — or with an invalid or expired token — will receive a 401 Unauthorized response.

Logging Out

The AuthController includes a logout method that invalidates the current token by calling:
$request->user()->currentAccessToken()->delete();
This permanently deletes the token from the database, ensuring it can never be used again. A dedicated logout route (POST /api/auth/logout) is not yet exposed but is planned as part of an upcoming release. In the meantime, you can invalidate a session by discarding the token on the client side or by re-issuing a new one via login.
Store tokens securely. Treat API tokens like passwords — never hard-code them in source files, expose them in client-side JavaScript bundles, or log them to output streams. Use environment variables or a secrets manager to keep them safe.

Build docs developers (and LLMs) love