Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, i have created a project where i use Laravel as my backend and Vue.js as my front end but now that im testing my api in postman to see if i get any data i get this 403 This action is unauthorised, im still learning as i go but cant seem to get it working,
in postman i have this route http://localhost:8000/api/products as a get request and in my .env i has this route APP_URL=http://localhost:8000
Im still learning to use api's and tried the whole day and googling what the cause might be but no luck,
If anyone can put me in the right direction i will really appreciate it
Here is my Products Controller
class ProductsController extends Controller
{
/**
* Display a listing of the resource.
*
* @param IndexProduct $request
* @return array|Factory|View
*/
public function index(IndexProduct $request)
{
// create and AdminListing instance for a specific model and
$data = AdminListing::create(Product::class)->processRequestAndGet(
// pass the request with params
$request,
// set columns to query
['brand', 'category', 'enabled', 'id', 'name', 'price', 'published_at', 'tax',],
// set columns to searchIn
['brand', 'category', 'description', 'id', 'name', 'price', 'tax']
);
if ($request->ajax()) {
if ($request->has('bulk')) {
return [
'bulkItems' => $data->pluck('id')
];
}
return ['data' => $data];
}
return view('admin.product.index', ['data' => $data]);
}
here is my product from request index page
class IndexProduct extends FormRequest
{
/**
* Determine if the user is authorized to make this request.
*
* @return bool
*/
public function authorize(): bool
{
return Gate::allows('admin.product.index');
}
/**
* Get the validation rules that apply to the request.
*
* @return array
*/
public function rules(): array
{
return [
'orderBy' => 'in:brand,category,enabled,id,name,price,published_at,tax|nullable',
'orderDirection' => 'in:asc,desc|nullable',
'search' => 'string|nullable',
'page' => 'integer|nullable',
'per_page' => 'integer|nullable',
];
}
}
this is the api.php file
Route::middleware('auth:sanctum')->get('/user', function (Request $request) {
return $request->user();
});
Route::get('products', [ProductsController::class, 'index']);
Why are you using a FormRequest for a GET Request; it is a little unconventional?
You seem to be using the route name here; or did you define a Gate with that name?
Gate::allows('admin.product.index');
What does that Gate definition look like?
admin.products.index endpoint is outside the auth:sanctum middleware group - is this intentional?@tykus the only reason i used Gate::allows('admin.product.index'); so that the route is protected and not be able to access with being authenticated,
The admin.products.index endpoint is outside the auth:sanctum middleware group - is this intentional? Should the Route::get('products', [ProductsController::class, 'index']); be inside the auth:sanctum ? Sorry im new to api's
@Dirk313 I think for the api authentication you should use laravel sanctum since api doesn't have/use session for authentication. Then you can protect route with auth:sanctum and define abilities which look like authorization I guess.
@aunghtetpaing__ I use get craftable https://getcraftable.com/ to quickly generate a admin scaffold to save some time going through all the run arounds creating the CRUD myself, so in my db I do have a remember_token with the token value , so craftable created it for me aswell
@Dirk313 I am not sure do you get my point or not. I am talking about sanctum token which is store in personal_access_tokens table.
@aunghtetpaing__ O yes sorry i get it,,if have created the tables but no token gets stored in the db, I neglected to check that and i used the token for the login user wich is not correct, I will go though the documentation now
@aunghtetpaing__ the table is setup but no logic was done
public function up()
{
Schema::create('personal_access_tokens', function (Blueprint $table) {
$table->id();
$table->morphs('tokenable');
$table->string('name');
$table->string('token', 64)->unique();
$table->text('abilities')->nullable();
$table->timestamp('last_used_at')->nullable();
$table->timestamp('expires_at')->nullable();
$table->timestamps();
});
}
@Dirk313 you need to generate token when login or register (authentication process)
use Illuminate\Http\Request;
Route::post('/tokens/create', function (Request $request) {
$token = $request->user()->createToken($request->token_name);
return ['token' => $token->plainTextToken];
});
the created token will store in table with authenticated user id. You need to use plainTextToken when access the protected api route under auth:sanctum.
Look the doc for more detail, I don't have many experience with api.
@AungHtetPaing__ I really appreciate you helping me, i will go to the docs and get this api working learning unknown is hard but worth it at the end
We can mark this as solved, I neglected to change the default auth to api in the config/auth file
Please or to participate in this conversation.