API Documentation
Complete API reference for the Laravel 2FA authentication system
API Overview
Authentication
Laravel Sanctum token-based authentication
2FA Protection
Two-factor authentication for enhanced security
JSON Responses
Consistent JSON API responses
Authentication Endpoints
POST
/api/auth/login
Authenticate user and return access token
Request Body
{
"email": "user@example.com",
"password": "password"
}Response
{
"success": true,
"message": "Login successful",
"data": {
"user": {
"id": 1,
"name": "John Doe",
"email": "user@example.com",
"is_2fa_enabled": false
},
"token": "1|abc123...",
"requires_2fa": false
}
}
POST
/api/auth/logout
Logout user and invalidate token
Headers
Authorization: Bearer {token}
Accept: application/jsonResponse
{
"success": true,
"message": "Logged out successfully"
}
GET
/api/auth/user
Get authenticated user information
Headers
Authorization: Bearer {token}
Accept: application/jsonResponse
{
"success": true,
"data": {
"user": {
"id": 1,
"name": "John Doe",
"email": "user@example.com",
"is_2fa_enabled": true,
"created_at": "2024-01-01T00:00:00.000000Z"
}
}
}Two-Factor Authentication
POST
/api/2fa/setup
Generate 2FA secret and QR code
Headers
Authorization: Bearer {token}
Accept: application/jsonResponse
{
"success": true,
"message": "2FA setup initiated",
"data": {
"secret": "JBSWY3DPEHPK3PXP",
"qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...",
"qr_url": "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"
}
}
POST
/api/2fa/confirm
Confirm 2FA setup with verification code
Request Body
{
"code": "123456"
}Response
{
"success": true,
"message": "2FA enabled successfully"
}
POST
/api/2fa/verify
Verify 2FA code for protected routes
Request Body
{
"code": "123456"
}Response
{
"success": true,
"message": "2FA verification successful"
}
GET
/api/2fa/status
Get 2FA status for current user
Headers
Authorization: Bearer {token}
Accept: application/jsonResponse
{
"success": true,
"data": {
"is_2fa_enabled": true,
"is_2fa_verified": false
}
}
POST
/api/2fa/disable
Disable 2FA for current user
Request Body
{
"code": "123456"
}Response
{
"success": true,
"message": "2FA disabled successfully"
}Protected Routes
Routes protected by 2FA middleware require both authentication and 2FA verification.
Example Protected Route
Route::middleware(['auth:sanctum', '2fa.verified'])
->get('/api/protected', [ProtectedController::class, 'index']);Error Response
{
"success": false,
"message": "2FA verification required",
"error": "2fa_required"
}Error Codes
| Code | Message | Description |
|---|---|---|
| 401 | Unauthorized | Invalid or missing authentication token |
| 403 | Forbidden | 2FA verification required |
| 422 | Validation Error | Invalid input data |
| 2fa_required | 2FA Required | Two-factor authentication is required |
| invalid_totp | Invalid TOTP | Invalid or expired TOTP code |
| setup_expired | Setup Expired | 2FA setup session has expired |
Testing the API
Using cURL
# Login
curl -X POST http://localhost/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"test@example.com","password":"password"}'
# Use returned token
curl -X GET http://localhost/api/auth/user \
-H "Authorization: Bearer {token}" \
-H "Accept: application/json"Using Postman
- 1. Create a new collection
- 2. Set base URL:
http://localhost - 3. Add Authorization header:
Bearer {token} - 4. Set Accept header:
application/json - 5. Test endpoints with the provided examples