The iLeben API enforces a two-layer authentication system. The first layer is Laravel Sanctum — every protected request must carry a valid Bearer token issued byDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/scooller/Leben-site/llms.txt
Use this file to discover all available pages before exploring further.
POST /api/v1/login. The second layer is the custom token.origin middleware, which validates that the request’s Origin, Referer, or X-Authorized-Url header matches the authorized_url field stored on the token. Both layers must pass before the API processes the request. Catalog endpoints require only token.origin; endpoints in the checkout, payment, and reservation groups also require a valid Sanctum session (auth:sanctum).
Obtaining a Token
Send aPOST request to /api/v1/login with a JSON body containing the user’s email and password. On success, the API returns a user object and a plain-text token string that you use as a Bearer token on subsequent requests.
The user’s registered email address.
The user’s password.
200 with the following shape:
The authenticated user record (id, name, email).
The plain-text Sanctum token to attach as
Authorization: Bearer <token> on every subsequent request. Store this securely — it is not shown again.Using the Token
Attach the token on every API call that requires authentication using the standard HTTPAuthorization header:
1|abc...) must be sent exactly as returned by the login endpoint. Here is an example request that fetches the authenticated user’s profile:
The token.origin Middleware
In addition to the Bearer token, most API endpoints validate the origin of the request against the authorized_url stored on the token. This is enforced by the EnsureTokenOriginIsAuthorized middleware, registered as token.origin.
The middleware reads the request origin from the first non-empty header in this priority order:
| Header | Description |
|---|---|
Origin | Standard browser origin header, sent automatically by browsers on cross-origin requests |
Referer | Full referring URL; the middleware normalizes it to scheme + host before comparison |
X-Authorized-Url | Custom header for server-to-server clients that cannot set Origin |
scheme://host[:port] (lowercased, no trailing slash) before being compared to the token’s authorized_url. If the token has no authorized_url set, the origin check is skipped and any origin is accepted.
Catalog endpoints (
/api/v1/proyectos, /api/v1/plantas, and related routes) are protected by token.origin only — they do not require auth:sanctum. A valid Bearer token with a matching origin header is sufficient to read the full real estate catalog without a user login session.Authorization and Origin headers for a catalog request:
Origin header automatically, use X-Authorized-Url instead:
Token Model Details
Tokens are stored in thepersonal_access_tokens table using a custom PersonalAccessToken model that extends Laravel Sanctum’s base class. Two additional columns are relevant to the middleware:
| Column | Type | Behaviour |
|---|---|---|
authorized_url | string|null | If set, every token.origin-protected request must present a matching origin. If null, the origin check is skipped. |
expires_at | datetime|null | If set and in the past, the token is treated as invalid and returns 401. If null, the token never expires. |
active scope that filters out expired tokens:
Error Reference
| HTTP Status | Message | Cause |
|---|---|---|
401 | Token de acceso requerido. | No Authorization: Bearer header was sent |
401 | Token de acceso inválido o expirado. | The token does not exist, has been revoked, or its expires_at is in the past |
403 | La URL de origen no está autorizada para este token. | The resolved origin from Origin / Referer / X-Authorized-Url does not match the token’s authorized_url |
403 with a valid token, compare the Origin or Referer your client is sending against the authorized_url configured on the token in the Filament admin panel. The comparison is exact after normalization — a mismatch in protocol (http vs https) or a missing/extra port will cause a 403.
Token Management
API tokens are managed from the Filament admin panel under the API Tokens resource at/admin/api-tokens. From there, administrators can:
- Create new tokens and assign an
authorized_urland optionalexpires_at - Inspect the
last_used_attimestamp to audit active tokens - Delete tokens to revoke access immediately
401 Token de acceso inválido o expirado. response.
Bearer Token and site-config
The GET /api/v1/site-config endpoint is public, but the response payload can include additional fields when a valid Bearer token is present on the request. Including an Authorization: Bearer <token> header signals to the backend that the caller is an authorized client, allowing it to surface data that would otherwise be omitted from anonymous responses.
site-config request.