Skip to main content

API

Peak includes first-party API support powered by Laravel Sanctum, providing secure token-based authentication for SPAs or third-party API clients. This is built on top of Laravel Jetstream's API features and is fully controllable via the Peak admin panel.

Enabling API Access

API access is disabled by default for security. To enable it:

Admin Panel → Settings → General → Enable API

Once enabled, users will have access to an API Tokens section in their profile management screen where they can create and manage personal access tokens.

API Tokens and Permissions

Each user can generate multiple tokens and assign granular permissions (scopes) to control access to specific abilities.

Managing Permissions

The default permissions system is identical to Jetstream. When creating an API token, users may select one or more of the following permissions:

  • create
  • read
  • update
  • delete

These scopes can be customized in your app by modifying the Jetstream::permissions() call in a service provider.

Jetstream::permissions([
    'create',
    'read',
    'update',
    'delete',
]);

Authorizing Incoming Requests

Once an API token is created, it must be passed via the Authorization header using the Bearer scheme:

Authorization: Bearer YOUR_TOKEN_HERE

Example cURL Request

curl -H "Authorization: Bearer YOUR_TOKEN_HERE" \
     -H "Accept: application/json" \
     https://your-app.com/api/user

If the token is valid and has the appropriate permissions, the request will be authenticated and processed.

Permission Check with tokenCan

Every request authenticated via Laravel Sanctum will have its token associated with the user model. Laravel provides a convenient tokenCan method through the Laravel\Sanctum\HasApiTokens trait, which is automatically applied to the App\Models\User model during Jetstream installation.

You can use this method to verify if the authenticated user's token has a specific permission within your controllers, Livewire components, or policies.

return $request->user()->id === $post->user_id &&
       $request->user()->tokenCan('post:update');

This ensures that only tokens granted with specific scopes can perform sensitive operations like updating or deleting resources.

Once an API token is created, it must be passed via the Authorization header using the Bearer scheme:

Authorization: Bearer YOUR_TOKEN_HERE

Example cURL Request

curl -H "Authorization: Bearer YOUR_TOKEN_HERE"      -H "Accept: application/json"      https://your-app.com/api/user

If the token is valid and has the appropriate permissions, the request will be authenticated and processed.

Notes

  • Sanctum uses Laravel’s built-in cookie/session authentication for SPAs and token-based auth for external requests.
  • Only authenticated users can generate API tokens.
  • You may extend or restrict permissions using Jetstream’s HasApiTokens trait and policy logic.