CareerTrack API uses Laravel Sanctum to secure access to protected endpoints. Sanctum issues a plain-text API token to each user upon registration or login. You include this token as aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ericcobasdev/careertrack-api/llms.txt
Use this file to discover all available pages before exploring further.
Bearer value in the Authorization header of every request that requires authentication — no cookies or session state involved.
How Authentication Works
The flow is straightforward:- Register a new user account at
POST /api/auth/register. The response includes a fresh API token. - Log in an existing user at
POST /api/auth/login. Again, the response returns a token. - Attach the token to every subsequent request via the
Authorization: Bearer <token>header. - Protected routes — all
/api/applicationsendpoints and/api/stats— validate the token using theauth:sanctummiddleware. Requests without a valid token receive a401 Unauthorizedresponse.
Registering
Create a new user account and receive an API token in a single request. Endpoint:POST /api/auth/register
Request Parameters
The user’s full name. Maximum 255 characters.
A unique, valid email address for the account. Maximum 255 characters.
The account password. Minimum 8 characters.
Must exactly match the
password field. Used by Laravel’s confirmed validation rule.Example Request
Response 201 Created
The newly created user object, including
id, name, email, created_at, and updated_at.A plain-text Sanctum API token. Use this as the Bearer token for all subsequent authenticated requests.
Logging In
Authenticate an existing user and receive a new API token. Endpoint:POST /api/auth/login
Request Parameters
The email address associated with the account.
The account password.
Example Request
Response 200 OK
422 Unprocessable Content response with a validation error on the email field:
Using the Token
Include the token returned from registration or login in theAuthorization header of every request to a protected endpoint.
Logging Out
TheAuthController includes a logout method that invalidates the current token by calling:
POST /api/auth/logout) is not yet exposed but is planned as part of an upcoming release. In the meantime, you can invalidate a session by discarding the token on the client side or by re-issuing a new one via login.
Store tokens securely. Treat API tokens like passwords — never hard-code them in source files, expose them in client-side JavaScript bundles, or log them to output streams. Use environment variables or a secrets manager to keep them safe.