Laravel backend plan

Stack

• Laravel 13.
• Laravel Sanctum for SPA authentication with cookie sessions.
• Database through Eloquent migrations.
• API responses in JSON only.

First modules

1. Auth

   • POST /api/register
   • POST /api/login
   • POST /api/logout
   • GET /api/user
   • GET /sanctum/csrf-cookie

2. Dashboard

   • GET /api/dashboard/summary
   • GET /api/dashboard/activity
   • GET /api/dashboard/system-status

3. Account

   • GET /api/profile
   • PATCH /api/profile
   • GET /api/subscription

4. Box management

   • GET /api/boxes
   • POST /api/boxes
   • GET /api/boxes/{box}
   • PATCH /api/boxes/{box}
   • DELETE /api/boxes/{box}

5. API keys

   • GET /api/api-keys
   • POST /api/api-keys
   • DELETE /api/api-keys/{key}

Sanctum SPA settings

Local development values expected in Laravel .env:

APP_URL=http://127.0.0.1:8000
FRONTEND_URL=http://127.0.0.1:5173
SESSION_DOMAIN=127.0.0.1
SANCTUM_STATEFUL_DOMAINS=127.0.0.1:5173,localhost:5173

Frontend requests must call /sanctum/csrf-cookie before login or other state-changing requests that require CSRF protection.