Mid-level 3 min · March 06, 2026

Laravel API: Silent 429 from Missing Throttle Key

Q: Should I use Sanctum or Passport for API authentication?

Sanctum is recommended for most projects. It's simpler, stores tokens in your database, and supports SPA cookie auth. Passport is a full OAuth2 server — use it only if you need third-party clients to authenticate via OAuth2 grants (authorization code, client credentials). For first-party mobile apps and SPA, Sanctum is sufficient.

Q: How do I return paginated results with metadata?

Use Laravel's built-in paginate() method on your query, then wrap it in a ResourceCollection. For example: `UserResource::collection(User::with('posts')->paginate(20))`. Laravel automatically adds `links` and `meta` fields. If you need custom metadata, override the `toResponse()` method or use a dedicated `UserCollection` resource class.

Q: What's the best way to handle validation errors in an API?

Define Form Request classes per endpoint. They centralize rules, messages, and authorization. Laravel automatically returns 422 with JSON error structure. To customize the format, override the `failedValidation()` method in the Form Request. Never handle validation inline in controllers — it becomes unmaintainable.

Missing throttle key caused anonymous users to share a single IP bucket, leading to 429 errors on checkout.

Naren · Founder

Plain-English first. Then code. Then the interview question.

About

● Production Incident 🔎 Debug Guide

⚡Quick Answer

Laravel REST API development builds JSON endpoints using resource routes, Eloquent, and authentication middleware.
Use resource controllers and apiResource to scaffold standard CRUD endpoints in one line.
Laravel Sanctum provides token-based auth with scoped abilities for each API client.
Rate limiting runs in middleware (throttle:60,1) – misconfiguring the key silently blocks legitimate traffic
Transformers (API Resources) prevent leaking internal model attributes and control response shape.
Biggest mistake: returning Eloquent models directly from controllers, exposing sensitive fields via serialization.

Plain-English First

Imagine you own a restaurant. Customers don't walk into your kitchen — they interact with a waiter who takes their order, talks to the chef, and brings back exactly what was asked for. A REST API is that waiter between your database (the kitchen) and any app that needs data (the customer). Laravel is the system that trains that waiter to be fast, secure, and consistent — no matter whether the customer is a mobile app, a React frontend, or another server entirely.

Every serious web product you use today — Uber, Spotify, GitHub — runs on APIs under the hood. When your phone asks 'show me nearby drivers', something has to receive that request, check who's asking, fetch the right data, and return it in a format every device understands. That 'something' is a REST API, and Laravel is one of the most productive frameworks in existence for building one that doesn't embarrass you in production.

The real problem isn't writing a route that returns JSON — that's five lines. The problem is what happens three months later when you have 40 endpoints, three API versions, a mobile team hitting rate limits, and a security audit flagging your token strategy. Most tutorials teach you the five-line version and leave you to figure out the rest alone. That's expensive when you're on a deadline.

By the end of this article you'll be able to architect a versioned, authenticated Laravel REST API with proper resource transformers, custom error handling, rate limiting strategies, and query optimization patterns that hold up under real traffic. You'll also know exactly which shortcuts will cost you later — and what to do instead.

What is Laravel REST API Development?

Laravel REST API Development is building HTTP endpoints that follow REST constraints using Laravel's tooling. Laravel gives you resource routing, authentication middleware, Eloquent for data, and response formatting out of the box.

The key difference from a traditional web app is that an API returns structured data (JSON) instead of rendered HTML views. That changes how you handle validation, error responses, authentication (stateless tokens), and performance (eager loading becomes critical).

If you're coming from building Blade templates, the mental shift is: every response must be explicit and consistent. No implicit session state, no assumption the client is a browser. That's where resource classes and form request validation shine.

routes/api.phpPHP

// TheCodeForge — Laravel REST API example

use Illuminate\Support\Facades\Route;
use App\Http\Controllers\Api\V1\UserController;

Route::apiResource('users', UserController::class)->middleware('auth:sanctum');

// Equivalent to:
// GET /api/users (index)
// POST /api/users (store)
// GET /api/users/{user} (show)
// PUT/PATCH /api/users/{user} (update)
// DELETE /api/users/{user} (destroy)

Output

Creates 5 RESTful endpoints automatically, all protected by Sanctum token authentication.

API vs Web: The Resource Mindset

Resources (users, orders, products) map directly to routes and controllers.
Use singular resource names and HTTP verbs for actions, not verbs in the URL.
Each endpoint returns a consistent JSON envelope — no surprise keys or missing fields.

Production Insight

Teams that skip API Resources and return Eloquent collections often leak internal fields (e.g., password hashes, pivot timestamps) when a new relation is added.

Enforce a resource layer from day one.

If you can't use apiResource, at least append ->transform() to every collection.

Key Takeaway

apiResource is your default.

Only drop down to manual routes when the resource action can't be expressed as CRUD.

This keeps your route file readable and maintainable.

Route Definition Decision Tree

IfStandard CRUD for a single entity

→

UseUse Route::apiResource('resource', Controller::class)

IfRelated nested resources (e.g., posts within a user)

→

UseUse Route::apiResource('users.posts', PostController::class)

IfComplex operations beyond CRUD (search, batch)

→

UseUse Route::post('/users/search', [UserController::class, 'search'])

API Versioning: Strategies That Won't Bite You

API versioning isn't about code — it's about not breaking your clients. Laravel makes versioning easy with route prefixes and separate controller namespaces.

The most common approach is URL prefix versioning: /api/v1/users, /api/v2/users. Laravel's route groups let you apply version prefixes, middleware, and rate limits in one place.

But versioning isn't just about the URL. You also need to version your response structure, validation rules, and error formats. That's why many teams use separate namespace folders (V1, V2) for controllers, resources, and form requests.

A production truth: version once you have a client in production that depends on your responses. Don't plan versions for features you haven't built — you'll overengineer.

routes/api.phpPHP

// TheCodeForge — Laravel API versioning example

use Illuminate\Support\Facades\Route;

Route::prefix('v1')->group(function () {
    Route::apiResource('users', App\Http\Controllers\Api\V1\UserController::class);
});

Route::prefix('v2')->group(function () {
    Route::apiResource('users', App\Http\Controllers\Api\V2\UserController::class);
});

// Each version can have different middleware, rate limit, and response transformers.

Output

Creates two separate versioned endpoint groups, each with its own controllers and logic.

Versioning Pitfall: Using Accept Headers Only

Header-based versioning (Accept: application/vnd.myapi.v1+json) is cleaner in theory but harder to debug with curl, Postman, and browser developer tools. URL prefix versioning is more transparent. If you must use header versioning, provide a fallback and document clearly.

Production Insight

When you introduce v2 but still serve v1, the biggest risk is not the code — it's making changes to v1 models that silently break v1 resource transformations.

Keep version-specific logic isolated in separate transformers.

Run integration tests that hit v1 endpoints after every v2 change.

Key Takeaway

Prefix versioning (v1, v2) is the Laravel standard.

Isolate controllers, resources, and tests per version.

Never mix version logic in the same controller file — you will break something.

Authentication with Laravel Sanctum: Stateless Token Management

Laravel Sanctum is the recommended package for API token authentication. It issues personal access tokens with ability scopes — think of them as limited permissions per token.

Sanctum stores tokens in a personal_access_tokens table and hashes them using SHA-256. You can generate tokens via artisan tinker or a login endpoint. Each token can have multiple abilities (e.g., ['user:read', 'user:write']).

Critical: Sanctum tokens don't expire by default — you must set an expiration in the model's tokens() relationship or prune old tokens. Failing to do that leaves unlimited-duration tokens in the wild.

For production, also implement token revocation on password change and a refresh token pattern if your clients need longer sessions.

app/Http/Controllers/Api/AuthController.phpPHP

// TheCodeForge — Sanctum token generation example

namespace App\Http\Controllers\Api;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;

public function login(Request $request)
{
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
    ]);

    $user = User::where('email', $request->email)->first();

    if (! $user || ! Hash::check($request->password, $user->password)) {
        throw ValidationException::withMessages([
            'email' => ['The provided credentials are incorrect.'],
        ]);
    }

    $token = $user->createToken('api-token', ['user:read', 'user:write'])->plainTextToken;

    return response()->json(['token' => $token, 'abilities' => ['user:read', 'user:write']]);
}

Output

Returns a JSON response with a plain text token (Bearer token) that the client must send in the `Authorization` header for subsequent requests.

Token Abilities as Permissions

Abilities are scoped: ['posts:read', 'posts:write'] — not broad 'admin' or '*'.
Use middleware to enforce abilities on specific routes: ->middleware('abilities:posts:read')
Avoid using '*' as ability unless truly admin-level. Granular abilities allow client access control per endpoint.

Production Insight

A common failure: teams store the plainTextToken only in the initial response, then lose it. Clients have no way to recover it.

Always provide a 'token preview' (last 4 characters) and a way to generate new tokens.

Monitor token creation rates — a sudden spike could indicate a credential stuffing attack.

Key Takeaway

Sanctum tokens are long-lived by design.

Set token expiration via the model's token expiration method.

Use abilities for fine-grained access — never rely solely on token presence.

Transforming Responses with API Resources

Laravel's API Resource classes (extending JsonResource) let you control the JSON output for your Eloquent models. Instead of returning a model directly (which exposes all attributes, includes relationships, and serializes appends), you return a Resource instance that explicitly defines which keys to include.

Think of a Resource as a view for an API response. You can format dates, hide internal IDs, include computed attributes, and conditionally load relationships based on the current route or user.

There are two types: JsonResource (single model) and ResourceCollection (collection). For collections, you can wrap them in a custom collection class that adds meta (pagination links, totals).

Production tip: never return a paginated collection directly — always wrap it in a collection resource that includes the pagination metadata.

app/Http/Resources/V1/UserResource.phpPHP

// TheCodeForge — API Resource example

namespace App\Http\Resources\V1;

use Illuminate\Http\Resources\Json\JsonResource;

class UserResource extends JsonResource
{
    public function toArray($request)
    {
        return [
            'id' => $this->id,
            'name' => $this->name,
            'email' => $this->email,
            'role' => $this->role->name,
            'created_at' => $this->created_at->toIso8601String(),
            'last_active_at' => $this->last_active_at?->diffForHumans(),
            $this->mergeWhen($request->routeIs('users.show'), [
                'posts_count' => $this->posts_count,
                'comments' => PostResource::collection($this->whenLoaded('posts')),
            ]),
        ];
    }
}

Output

A JSON object with explicit keys, formatted dates, conditional inclusion of posts_count only on detail routes.

Performance Trap: Avoid $this->resource without loading

Calling $this->resource inside toArray() gives you the model. But if you use $this->relation inside toArray() without calling $this->whenLoaded(), you trigger an N+1 query. Always wrap relationship access in whenLoaded().

Production Insight

Forgetting $this->mergeWhen for relationships leads to enormous response payloads when the collection loads all relations.

Always wrap optional relations in whenLoaded.

Use ResourceCollection with pagination metadata (links, meta) so mobile clients can navigate pages.

Key Takeaway

Resources are your response contract.

Use whenLoaded to prevent N+1 on relations.

Never return Eloquent models directly from controllers.

Error Handling and Validation: Consistent Failure Responses

Laravel's API error handling should return consistent JSON structures for all failures — validation errors, authentication failures, model not found, and internal server errors.

The default Laravel exception handler returns HTML for errors. You need to override the handler in App\Exceptions\Handler to return JSON for API requests. The easiest way: check if the request expects JSON using $request->expectsJson().

For validation errors, Laravel automatically converts them to JSON. But the default structure uses errors with field keys. Many APIs prefer a flatter structure: {'message': '...', 'errors': {...}}. You can customize this by overriding the invalid() method in your Form Request.

For 404s, use ModelNotFoundException in your controllers and return a custom response with a meaningful message instead of the default "No query results for model...".

app/Exceptions/Handler.phpPHP

// TheCodeForge — API error handling example

namespace App\Exceptions;

use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Illuminate\Http\Request;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Throwable;

class Handler extends ExceptionHandler
{
    public function render($request, Throwable $e)
    {
        if ($request->is('api/*')) {
            if ($e instanceof ModelNotFoundException) {
                return response()->json([
                    'message' => 'Resource not found.',
                    'status' => 404,
                ], 404);
            }

            if ($e instanceof AuthenticationException) {
                return response()->json([
                    'message' => 'Unauthenticated. Please provide a valid Bearer token.',
                    'status' => 401,
                ], 401);
            }

            // Fallback for other exceptions
            return response()->json([
                'message' => $e->getMessage(),
                'status' => 500,
            ], 500);
        }

        return parent::render($request, $e);
    }
}

Output

All API routes now return structured JSON errors regardless of the exception type.

Use Form Requests for Validation

Define a separate Form Request class per controller method (e.g., StoreUserRequest). It centralizes validation rules, error messages, and even authorization logic. Your controller stays thin and your validation is reusable.

Production Insight

When you return 500 with the generic message, clients can't differentiate between temporary downtime and critical failures.

Always include a 'status' field and a 'code' (like 'INTERNAL_ERROR', 'VALIDATION_ERROR') so clients can programmatically handle errors.

Monitor 5xx rates via logs — a sudden increase often points to a broken dependency (database, cache).

Key Takeaway

Override Handler::render for API routes to return consistent JSON.

Use ModelNotFoundException to return 404 with a clean message.

Add error codes to responses for client-side error handling.

● Production incidentPOST-MORTEMseverity: high

The Silent 504: Rate Limiting That Took Down Checkout

Symptom

Users reported 429 Too Many Requests during checkout, but analytics showed request counts far below the configured limit.

Assumption

The team assumed the rate limiter was tracking by authenticated user ID.

Root cause

The throttle middleware was configured without a key – 'throttle:60,1' instead of 'throttle:60,1:user_id'. Laravel uses the global IP as default key, so anonymous users shared a single bucket.

Fix

Change route middleware to 'throttle:api' and define the rate limiter using the authenticated user's ID or a combination of IP and route. Use RateLimiter::for('api', fn($job) => Limit::perMinute(60)->by($job->user?->id ?: $job->ip())).

Key lesson

Always specify a unique key for rate limiters; default IP-based keys collapse under proxy or shared IPs.
Test rate limiting under realistic load with both authenticated and unauthenticated requests.
Monitor 429 responses separately from other 4xx errors to catch silent blocking.

Production debug guideCommon Laravel API failures and their root causes3 entries

Symptom · 01

API returns 500 Internal Server Error without logging in the Laravel log

→

Fix

Check if storage/logs is writable. Verify APP_DEBUG=true in .env (temporarily). Run 'php artisan route:list' to confirm routes exist. Look for cached config that may be stale.

Symptom · 02

Token authentication fails with 401 for valid tokens

→

Fix

Check Sanctum token abilities match the middleware 'auth:sanctum' scopes. Verify token hasn't expired (check tokenable_id, last_used_at). Run 'php artisan cache:clear' if you changed token-related config.

Symptom · 03

API returns 404 for routes documented as existing

→

Fix

Verify the route is defined in routes/api.php (not web.php). Check if the route file is cached: run 'php artisan route:cache' after changes. Ensure the URL prefix matches (e.g., /api/v1/users).

★ Laravel API Quick Debug Cheat SheetOne-liner commands and immediate fixes for common API issues in production.

API endpoint returns 500 with no details−

Immediate action

Enable debug mode temporarily: set APP_DEBUG=true in .env, then restart queue workers if using php artisan serve.

Commands

php artisan route:list | grep your-endpoint

tail -n 100 storage/logs/laravel.log

Fix now

Clear cached config and routes: php artisan optimize:clear; then check .env for missing keys.

Sanctum token not working+

Rate limit 429 too aggressive+

Eloquent query returns unexpected results (N+1 or missing relations)+

Laravel API Components Comparison

Component	Purpose	Use Case	Production Gotcha
Sanctum	Token-based API auth	Simple APIs, SPA sessions, mobile tokens	Tokens don't expire by default — you must set expiry via model
Passport (OAuth2)	Full OAuth2 server	Third-party client auth, multiple SPA/APIs	Heavier than Sanctum; scopes can cascade unexpectedly
API Resources	Response transformation	Shape JSON output, hide internal fields	Missing whenLoaded leads to N+1 queries
Form Requests	Validation + authorization	Centralize validation logic per endpoint	Forgetting to type-hint in controller method leads to no validation
Rate Limiting	Request throttling	Prevent abuse, protect backend resources	Default IP-based key collapses behind load balancers

Key takeaways

Use apiResource for standard CRUD, group routes by version prefix (v1, v2).

Sanctum tokens are long-lived

set expiration and revoke on password change.

Transform all responses with API Resources; never return Eloquent models directly.

Customize exception handler to return consistent JSON errors for API routes.

Eager load relationships to prevent N+1 queries

use with() and whenLoaded().

Rate limiters need unique keys per user or IP+route to avoid shared buckets.

Common mistakes to avoid

4 patterns

Returning Eloquent models directly from controllers

Symptom

JSON responses include hidden attributes like password, remember_token, and pivot data when a new relation is loaded by an observer.

Fix

Always use API Resource classes. Create a resource using php artisan make:resource UserResource and return new UserResource($user) or UserResource::collection($users).

Not versioning the API from the start

Symptom

You have production clients consuming /api/users, and you need to change the response format — you break existing integrations and have to coordinate a migration.

Fix

Start with a version prefix even before you have multiple versions: /api/v1/users. When v2 is needed, create a new route group with the v2 prefix. You can always drop the version later if unneeded.

Using hasMany without eager loading in API endpoints

Symptom

List endpoint loads 50 users, then fires 50+ queries to load each user's posts (N+1 problem). Response time jumps from 50ms to 2+ seconds.

Fix

Use with('posts') when retrieving the collection, or load('posts') if you need conditional loading. For deeply nested relations, use withCount or sub-select to avoid loading all related rows.

Applying the same rate limiter globally without per-user differentiation

Symptom

All users share one rate limit bucket because the throttle middleware uses the default IP-based key. A single user can exhaust the limit for everyone.

Fix

Define named rate limiters in AppProvidersRouteServiceProvider. Use the authenticated user's ID or a combination of IP and route as the key. Example: Limit::perMinute(60)->by($user->id ?? $request->ip()).

INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01SENIOR

How do you handle API versioning in Laravel? What are the trade-offs bet...

Q02SENIOR

Explain how Laravel Sanctum personal access tokens work. How would you r...

Q03SENIOR

What is an N+1 query and how would you prevent it in a Laravel API that ...

Q01 of 03SENIOR

How do you handle API versioning in Laravel? What are the trade-offs between URL prefix and header-based versioning?

ANSWER

I use URL prefix versioning (e.g., /api/v1/users, /api/v2/users) with separate controller namespaces (App\Http\Controllers\Api\V1\*). This makes routes self-documenting, works with any HTTP client, and allows easy debugging. Header-based versioning (Accept: application/json; version=2) is cleaner but less discoverable — clients must know the exact header format, and it's harder to test manually. The main trade-off: URL versioning leads to code duplication in early stages, but header versioning can cause silent fallback issues if the client omits the header. My rule: start with URL versioning; you can always move to headers later with a middleware layer, but not the reverse without breaking clients.

FAQ · 4 QUESTIONS

Frequently Asked Questions

What is Laravel REST API Development in simple terms?

Should I use Sanctum or Passport for API authentication?

How do I return paginated results with metadata?

What's the best way to handle validation errors in an API?

🔥

That's Laravel. Mark it forged?

3 min read · try the examples if you haven't