Labsco
auth0 logo

auth0-laravel-api

โ˜… 37

by auth0 ยท part of auth0/agent-skills

Use when protecting Laravel API endpoints with JWT Bearer token validation or scope checks. Integrates auth0/login with the AuthorizationGuard for stateless APIs receiving access tokens.

๐Ÿงฉ One of 7 skills in the auth0/agent-skills package โ€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

Auth0 Laravel API Integration

Protect Laravel API endpoints with JWT access token validation using auth0/login and the AuthorizationGuard.


When NOT to Use

ScenarioUse Instead
Laravel web app with login/logout UIauth0-laravel (session-based AuthenticationGuard)
Plain PHP API (no framework)auth0-php-api
Plain PHP web appauth0-php
Single Page Applicationsauth0-react, auth0-vue, or auth0-angular
FastAPI / Python APIsauth0-fastapi-api
Express / Node.js APIsexpress-oauth2-jwt-bearer
Issuing tokensThis skill is for validating access tokens, not issuing them

Key SDK Methods

MethodReturnsPurpose
auth('auth0-api')->user()?StatelessUserReturns authenticated user or null
auth('auth0-api')->check()boolWhether request has a valid token
auth('auth0-api')->hasScope($scope)boolCheck if token has a specific scope
auth('auth0-api')->hasPermission($perm)boolCheck if token has a specific RBAC permission
auth('auth0-api')->id()?stringReturns the sub claim directly
$user->getAuthIdentifier()int|string|nullReturns sub claim
$user->getAttribute('key')mixedReturns any claim value
$user->jsonSerialize()arrayReturns all claims as array
auth('auth0-api')->getCredential()?CredentialEntityFull credential with decoded token data

  • auth0-laravel - For Laravel web apps with login/logout using session-based auth
  • auth0-php-api - For plain PHP APIs without Laravel
  • auth0-quickstart - Initial Auth0 setup
  • auth0-mfa - Add Multi-Factor Authentication
  • auth0-cli - Manage Auth0 resources from the terminal

Quick Reference

Guard configuration (config/auth.php):

'guards' => [
    'auth0-api' => [
        'driver' => 'auth0.authorizer',
        'provider' => 'auth0-provider',
        'configuration' => 'api',
    ],
],
'providers' => [
    'auth0-provider' => [
        'driver' => 'auth0.provider',
        'repository' => 'auth0.repository',
    ],
],

Route protection:

Route::middleware('auth:auth0-api')->group(function () {
    Route::get('/resource', fn() => response()->json([...]));
});

Scope/permission checks:

$guard = auth('auth0-api');
$guard->hasScope('read:messages');       // checks scope claim
$guard->hasPermission('delete:users');   // checks permissions claim (RBAC)

User claims:

$user = auth('auth0-api')->user();
$user->getAuthIdentifier();   // sub
$user->email;                 // any claim via __get
$user->getAttribute('iss');   // explicit claim access

Environment variables:

  • AUTH0_DOMAIN - Auth0 tenant domain (e.g. tenant.us.auth0.com)
  • AUTH0_AUDIENCE - API identifier (e.g. https://api.example.com)

Common Use Cases:

  • Protect routes -> auth:auth0-api middleware (see Step 7)
  • Scope enforcement -> hasScope() (see Step 8)
  • Permission enforcement -> hasPermission() (see Step 8)
  • Advanced configuration -> API Reference

Detailed Documentation

  • Setup Guide - Auth0 CLI setup, environment configuration, getting test tokens
  • Integration Guide - Scopes, permissions, CORS, custom user repositories, error handling, multi-guard
  • API Reference - Complete AuthorizationGuard API, StatelessUser, CredentialEntity, configuration options

References