01_AUTHENTICATION

Graphical reference view with linked API documentation.

API — Authentication (Sanctum)

Versioned base path: https://{host}/api/v1

Requirement Value
Accept application/json (required to receive JSON error bodies on the API)
Auth header Authorization: Bearer {access_token} for protected routes

Issue token
Method POST
Path /api/v1/auth/token
Auth None
Throttle 10 requests / minute (default)

Request body (JSON)

Field Type Required
email string Yes
password string Yes
device_name string Yes (label for the token row, e.g. iOS 18 )

Success (200): access_token, token_type = Bearer, and user profile payload (id, contact info, role object, permissions, tenant object, balances, preferences).

Failure: 422 validation.

Example — token success

{
  "access_token": "1|nQ3W...token",
  "token_type": "Bearer",
  "user": {
    "id": 27,
    "name": "John Agent",
    "email": "john@example.com",
    "phone": "+1-555-100-2000",
    "avatar": null,
    "status": "active",
    "tenant_id": 3,
    "vacation_pool_balance": "150.00",
    "hotel_card_redeems_left": 2,
    "preferences": {
      "language": "en"
    },
    "email_verified_at": "2026-04-30T16:02:14+00:00",
    "last_login_at": "2026-04-30T18:10:01+00:00",
    "role": {
      "id": 8,
      "name": "Agent",
      "slug": "user"
    },
    "permissions": [
      "dashboard.user",
      "pos.view"
    ],
    "tenant": {
      "id": 3,
      "name": "Safeway Travel",
      "slug": "safeway",
      "domain": "www.safewaytravel.net",
      "default_currency": "USD",
      "enabled_products": ["hotel", "activity", "flight", "deals"]
    }
  }
}

Current user (claims)
Method GET
Path /api/v1/auth/user
Auth Bearer

Alias for external systems:

| Method | GET | | Path | /api/v1/auth/profile | | Auth | Bearer |

Response schema includes:

  • Identity: id, name, email, phone, avatar, status
  • Role: role (id, name, slug) + permissions array
  • Tenant context: tenant_id, tenant (id, name, slug, domain, default_currency, enabled_products)
  • Loyalty / incentives: vacation_pool_balance, hotel_card_redeems_left
  • User settings: preferences
  • Audit timestamps: email_verified_at, last_login_at

Example — current profile (/auth/user or /auth/profile)

{
  "id": 27,
  "name": "John Agent",
  "email": "john@example.com",
  "phone": "+1-555-100-2000",
  "avatar": null,
  "status": "active",
  "tenant_id": 3,
  "vacation_pool_balance": "150.00",
  "hotel_card_redeems_left": 2,
  "preferences": {
    "language": "en"
  },
  "email_verified_at": "2026-04-30T16:02:14+00:00",
  "last_login_at": "2026-04-30T18:10:01+00:00",
  "role": {
    "id": 8,
    "name": "Agent",
    "slug": "user"
  },
  "permissions": ["dashboard.user", "pos.view"],
  "tenant": {
    "id": 3,
    "name": "Safeway Travel",
    "slug": "safeway",
    "domain": "www.safewaytravel.net",
    "default_currency": "USD",
    "enabled_products": ["hotel", "activity", "flight", "deals"]
  }
}

Revoke current token (logout on device)
Method POST
Path /api/v1/auth/revoke
Auth Bearer

Success (200): { "ok": true }

See also: in-app page Developer & API (/tenant-admin/developer or /super-admin/developer) for copy-paste base URLs and tenant context.