home / skills / fusengine / agents / laravel-api

laravel-api skill

safe

/plugins/laravel-expert/skills/laravel-api

This skill helps you design and implement Laravel RESTful APIs using API Resources, Sanctum authentication, and versioned routes for scalable, secure endpoints.

npx playbooks add skill fusengine/agents --skill laravel-api

Review the files below or copy the command above to add this skill to your agents.

Files (20)

SKILL.md

5.7 KB

---
name: laravel-api
description: Build RESTful APIs with Laravel using API Resources, Sanctum authentication, rate limiting, and versioning. Use when creating API endpoints, transforming responses, or handling API authentication.
versions:
  laravel: "12.46"
  php: "8.5"
user-invocable: true
references: references/routing.md, references/controllers.md, references/middleware.md, references/requests.md, references/responses.md, references/validation.md, references/pagination.md, references/http-client.md, references/rate-limiting.md, references/redirects.md, references/urls.md, references/strings.md
related-skills: laravel-auth, laravel-eloquent, laravel-testing
---

# Laravel API Development

## Agent Workflow (MANDATORY)

Before ANY implementation, use `TeamCreate` to spawn 3 agents:

1. **fuse-ai-pilot:explore-codebase** - Analyze existing API patterns
2. **fuse-ai-pilot:research-expert** - Verify Laravel API docs via Context7
3. **mcp__context7__query-docs** - Check API Resources and Sanctum patterns

After implementation, run **fuse-ai-pilot:sniper** for validation.

---

## Overview

Build RESTful APIs with Laravel using API Resources for response transformation and Sanctum for authentication.

| Component | Purpose |
|-----------|---------|
| **Controllers** | Handle requests, delegate to services |
| **Form Requests** | Validate input, authorize actions |
| **API Resources** | Transform models to JSON |
| **Middleware** | Auth, rate limiting, CORS |
| **Routes** | Versioned endpoints with groups |
| **Pagination** | Offset/cursor pagination |
| **HTTP Client** | Consume external APIs |

---

## Critical Rules

1. **Always use API Resources** - Never return Eloquent models directly
2. **Versioned routes** - Prefix with `/v1/`, `/v2/`
3. **Validate all input** - Use Form Requests, not inline validation
4. **Rate limiting** - Configure per-route limits
5. **Consistent responses** - Same structure, proper status codes
6. **Use services** - Keep controllers thin
7. **Eager load** - Prevent N+1 with `with()` before pagination

---

## Reference Guide

### Core Concepts

| Topic | Reference | When to consult |
|-------|-----------|-----------------|
| **Routing** | [routing.md](references/routing.md) | Defining versioned API routes |
| **Controllers** | [controllers.md](references/controllers.md) | Controller patterns, resource methods |
| **Middleware** | [middleware.md](references/middleware.md) | Route protection, request filtering |
| **Validation** | [validation.md](references/validation.md) | Form Requests, validation rules |

### Request/Response

| Topic | Reference | When to consult |
|-------|-----------|-----------------|
| **Requests** | [requests.md](references/requests.md) | Accessing input, files, headers |
| **Responses** | [responses.md](references/responses.md) | API Resources, status codes |
| **Pagination** | [pagination.md](references/pagination.md) | Offset/cursor pagination |

### Advanced

| Topic | Reference | When to consult |
|-------|-----------|-----------------|
| **Rate Limiting** | [rate-limiting.md](references/rate-limiting.md) | Throttle configuration |
| **HTTP Client** | [http-client.md](references/http-client.md) | Consuming external APIs |
| **URLs** | [urls.md](references/urls.md) | URL generation, signed URLs |
| **Strings** | [strings.md](references/strings.md) | String helpers, UUIDs, slugs |
| **Redirects** | [redirects.md](references/redirects.md) | Redirect responses |

---

### Templates (Code Examples)

#### Controllers & Routes

| Template | Purpose |
|----------|---------|
| [ApiController.php.md](references/templates/ApiController.php.md) | Complete CRUD controller with service |
| [api-routes.md](references/templates/api-routes.md) | Versioned routes with middleware |
| [routing-examples.md](references/templates/routing-examples.md) | Detailed routing patterns |

#### Validation & Resources

| Template | Purpose |
|----------|---------|
| [FormRequest.php.md](references/templates/FormRequest.php.md) | Store/Update Form Requests |
| [validation-rules.md](references/templates/validation-rules.md) | All validation rules reference |
| [ApiResource.php.md](references/templates/ApiResource.php.md) | Resource with relationships |

#### External APIs

| Template | Purpose |
|----------|---------|
| [HttpClientService.php.md](references/templates/HttpClientService.php.md) | Reusable HTTP client service |

---

## Quick Reference

### Resource Response

```php
return PostResource::collection($posts);
return PostResource::make($post);
```

### Status Codes

```php
return PostResource::make($post)->response()->setStatusCode(201);
return response()->json(null, 204);
```

### Form Request

```php
public function store(StorePostRequest $request): JsonResponse
{
    $post = $this->service->create($request->validated());
    return PostResource::make($post)->response()->setStatusCode(201);
}
```

### Rate Limiting

```php
Route::middleware('throttle:60,1')->group(fn () => ...);
```

### Versioned Routes

```php
Route::prefix('v1')->group(function () {
    Route::apiResource('posts', PostController::class);
});
```

### Pagination

```php
return PostResource::collection(Post::paginate(15));
```

---

## Feature Matrix

| Feature | Status | Reference |
|---------|--------|-----------|
| RESTful Controllers | ✅ | controllers.md |
| API Resources | ✅ | responses.md |
| Form Request Validation | ✅ | validation.md |
| Route Versioning | ✅ | routing.md |
| Route Model Binding | ✅ | routing.md |
| Middleware | ✅ | middleware.md |
| Rate Limiting | ✅ | rate-limiting.md |
| Pagination | ✅ | pagination.md |
| Cursor Pagination | ✅ | pagination.md |
| HTTP Client | ✅ | http-client.md |
| Signed URLs | ✅ | urls.md |
| JSON Responses | ✅ | responses.md |

Overview

This skill helps you build production-ready RESTful APIs with Laravel using API Resources, Sanctum authentication, rate limiting, and route versioning. It enforces consistent response formats, thin controllers backed by services, and validated inputs via Form Requests. The workflow includes automated agent steps to analyze code, verify docs, and validate the final implementation.

How this skill works

Before any implementation, spawn three agents with TeamCreate to analyze the codebase, verify Laravel API docs, and check API Resource and Sanctum patterns. Use API Resources to transform models into JSON responses, Form Requests for validation and authorization, and Sanctum for token/session authentication. Apply middleware for authentication, CORS, and per-route rate limiting, and organize routes with version prefixes like /v1/ or /v2/. After implementation, run the validation agent to scan and validate the changes.

When to use it

Creating new RESTful endpoints that need consistent JSON responses and versioning.
Implementing authenticated APIs using token or SPA authentication with Sanctum.
Transforming Eloquent models and relationships into stable API responses.
Adding per-route rate limiting, CORS, and other API middleware protections.
Refactoring controllers to follow thin-controller, service-layer patterns.

Best practices

Always return API Resources, never raw Eloquent models or collections.
Validate all input with Form Requests and encode authorization there when possible.
Prefix routes with a version (e.g., /v1) and group middleware per-version.
Configure per-route throttle limits and document them in API docs.
Eager load relationships before pagination to avoid N+1 queries.

Example use cases

CRUD posts API: versioned routes, Store/Update Form Requests, PostResource responses.
Authenticated user endpoints: Sanctum for SPA/token auth and resource-scoped responses.
Public listing with pagination: PostResource::collection(Post::paginate(15)).
Rate-limited webhook or public endpoint: Route::middleware('throttle:60,1')->group(...).
External API integration: HttpClientService to consume third-party APIs from services.

FAQ

How should I structure controllers and services?

Keep controllers thin: validate with Form Requests, call a service to perform business logic, and return API Resources from the controller.

How do I handle versioning safely?

Use route prefixes (e.g., /v1) and keep older versions intact while introducing v2 with breaking changes; maintain separate controllers or transformers if response shapes differ.