Cole protects its API using Laravel Sanctum personal access tokens. When you register or log in, the API returns a plain-text Bearer token that you include in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/iamalexis689725/cole/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header of every subsequent request. There are no cookies, no sessions, and no OAuth flows — just a token that travels with every call. Tokens are stored hashed in the personal_access_tokens table and are invalidated immediately on logout or on the next login (token rotation).
How Authentication Works
- Call
POST /api/auth/registerorPOST /api/auth/loginto obtain a token. - Store the token securely on the client (e.g. in memory or a secure storage mechanism — never in
localStoragefor sensitive deployments). - Include the token in every protected request as
Authorization: Bearer {token}. - On logout, the current token is deleted server-side and becomes immediately invalid.
- On the next login, all existing tokens for that user are deleted before a new one is issued, ensuring only one active session per user at any time.
All auth endpoints are prefixed with
/api/auth. Requests must include an Accept: application/json header to receive JSON error responses instead of HTML redirects.POST /api/auth/register
Creates a new user account, assigns the specified role, and returns a Bearer token. The user is active immediately — no email verification step is required.Request Parameters
The full display name of the user. Maximum 255 characters.
A valid, unique email address. Used as the login identifier. Maximum 255 characters.
The user’s password. Minimum 6 characters. Stored as a bcrypt hash — never in plain text.
The role to assign to the new user. Must be one of:
super-admin, director, profesor, estudiante, padre. Validated against the roles table — run RoleSeeder before registering any users.Example Request
Response — 201 Created
A confirmation string:
"Usuario registrado correctamente".The newly created user object.
An array of role name strings assigned to this user, e.g.
["director"].The plain-text Sanctum Bearer token. This is the only time the plain-text token is returned — store it immediately.
POST /api/auth/login
Authenticates an existing user by email and password. All previously issued tokens for the user are deleted before a new token is created — Cole enforces a single active session per user.Request Parameters
The email address used when the account was registered.
The account password in plain text. Compared against the stored bcrypt hash.
Token rotation: every successful login calls
$user->tokens()->delete() before issuing a fresh token. If you have multiple clients (e.g. a web app and a mobile app) sharing the same user account, logging in on one will immediately invalidate the token held by the other.Example Request
Response — 200 OK
A confirmation string:
"Login exitoso".The authenticated user object (same shape as the register response).
An array of role name strings currently assigned to the user.
A freshly issued plain-text Sanctum Bearer token. All previous tokens for this user have been revoked.
GET /api/auth/me
Returns the profile and roles of the currently authenticated user. Requires a valid Bearer token. This endpoint is the fastest way to verify that a token is still active.Example Request
Response — 200 OK
The authenticated user’s record from the database.
The list of roles currently assigned to this user.
POST /api/auth/logout
Revokes the current access token only. Other active tokens (issued to other devices, if any) are not affected. The endpoint requires a valid Bearer token — you cannot log out without one.Example Request
Response — 200 OK
Passing the Token
Every protected endpoint in Cole requires the Bearer token in the HTTPAuthorization header. The format is always:
Error Handling
Cole returns standard HTTP status codes alongside JSON error bodies for all auth failures.401 Unauthenticated
Returned when a protected endpoint is called without a token, with a malformed token, or with a token that has been revoked.422 Unprocessable Content
Returned when request body validation fails. Theerrors object keys map to the invalid field names.
Invalid credentials on login:
The
"The selected role is invalid." error on the role field most commonly means RoleSeeder has not been run yet, or the value passed does not exactly match one of: super-admin, director, profesor, estudiante, padre.