{"id":366,"date":"2025-08-27T20:38:20","date_gmt":"2025-08-27T20:38:20","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=366"},"modified":"2025-08-27T20:38:44","modified_gmt":"2025-08-27T20:38:44","slug":"building-a-mobile-app-backend-with-laravel-12-api","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/building-a-mobile-app-backend-with-laravel-12-api\/","title":{"rendered":"Building a Mobile App Backend with Laravel 12 API"},"content":{"rendered":"\n

Building a Mobile App Backend with Laravel 12 API<\/strong><\/h2>\n\n\n\n

A mobile app needs a reliable backend to handle authentication, serve JSON data, sync user content, and enforce security. Laravel 12 provides everything you need to build a RESTful API<\/strong> that mobile apps (iOS\/Android) can consume easily. In this tutorial you\u2019ll create authentication endpoints, version your API, format JSON consistently, apply rate limiting, and prepare for push notifications.<\/p>\n\n\n\n

<\/div>\n\n\n\n\n

1 – Set Up Sanctum for Mobile Token Auth<\/strong><\/h2>\n\n\n\n

Mobile apps typically use token-based auth<\/strong>. Sanctum is lighter than Passport and perfect for mobile-first APIs.<\/p>\n\n\n

composer require laravel\/sanctum\n\nphp artisan vendor:publish --provider=\"Laravel\\Sanctum\\SanctumServiceProvider\"<\/span>\n\nphp artisan migrate<\/code><\/span>Code language:<\/span> Bash<\/span> (<\/span>bash<\/span>)<\/span><\/small><\/pre>\n\n\n
Publishing Sanctum migrations adds personal_access_tokens<\/code>. Tokens issued here are tied to users, making mobile logins stateless and secure.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
2 – Auth Controller for Mobile<\/strong><\/h2>\n\n\n\n
Create endpoints for login, logout, and fetching the current user. These return JSON only (no views).<\/p>\n\n\n
\/\/ app\/Http\/Controllers\/Api\/MobileAuthController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Api<\/span>;\n\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Auth<\/span>;\n\nclass<\/span> MobileAuthController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> login<\/span>(Request $request)<\/span>\n    <\/span>{\n        $credentials = $request->validate([\n            'email'<\/span> => 'required|email'<\/span>,\n            'password'<\/span> => 'required'<\/span>\n        ]);\n\n        if<\/span> (! $token = Auth::attempt($credentials)) {\n            return<\/span> response()->json(['message'<\/span> => 'Invalid credentials'<\/span>], 401<\/span>);\n        }\n\n        $user = Auth::user();\n        $token = $user->createToken('mobile'<\/span>)->plainTextToken;\n\n        return<\/span> response()->json([\n            'token'<\/span> => $token,\n            'user'<\/span>  => $user,\n        ]);\n    }\n\n    public<\/span> function<\/span> me<\/span>(Request $request)<\/span>\n    <\/span>{\n        return<\/span> response()->json($request->user());\n    }\n\n    public<\/span> function<\/span> logout<\/span>(Request $request)<\/span>\n    <\/span>{\n        $request->user()->currentAccessToken()->delete();\n        return<\/span> response()->json(['message'<\/span> => 'Logged out'<\/span>]);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
login<\/code> validates credentials and issues a personal access token. The mobile client stores this token securely (Keychain\/Keystore). me<\/code> lets apps fetch the logged-in user, while logout<\/code> revokes the token.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
3 – API Versioning<\/strong><\/h2>\n\n\n\n
Versioning avoids breaking old mobile clients. Use URI prefixes like \/api\/v1\/<\/code> and separate controllers by namespace.<\/p>\n\n\n
\/\/ routes\/api.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Api<\/span>\\MobileAuthController<\/span>;\n\nRoute::prefix('v1'<\/span>)->group(function<\/span> ()<\/span> <\/span>{\n    Route::post('\/login'<\/span>,  [MobileAuthController::class, 'login'<\/span>]);\n    Route::post('\/logout'<\/span>, [MobileAuthController::class, 'logout'<\/span>])->middleware('auth:sanctum'<\/span>);\n    Route::get('\/me'<\/span>,      [MobileAuthController::class, 'me'<\/span>])->middleware('auth:sanctum'<\/span>);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Prefixing routes with v1<\/code> ensures older apps keep working when you release v2<\/code> with changes. Each version can have its own controllers\/resources.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
4 – Consistent JSON Responses<\/strong><\/h2>\n\n\n\n
Always return consistent shapes, so mobile devs can code against stable schemas. Wrap responses in a common format.<\/p>\n\n\n
\/\/ app\/Http\/Resources\/UserResource.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Resources<\/span>;\n\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Resources<\/span>\\Json<\/span>\\JsonResource<\/span>;\n\nclass<\/span> UserResource<\/span> extends<\/span> JsonResource<\/span>\n<\/span>{\n    public<\/span> function<\/span> toArray<\/span>($request)<\/span>\n    <\/span>{\n        return<\/span> [\n            'id'<\/span>    => $this<\/span>->id,\n            'name'<\/span>  => $this<\/span>->name,\n            'email'<\/span> => $this<\/span>->email,\n        ];\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
UserResource<\/code> ensures consistent user JSON regardless of DB schema changes. Use resources for all entities returned to mobile clients.<\/p>\n\n\n\n
\/\/ Example in controller<\/span>\nreturn<\/span> response()->json([\n    'status'<\/span> => 'ok'<\/span>,\n    'data'<\/span>   => new<\/span> UserResource($request->user())\n]);<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Wrapping every response with status<\/code> + data<\/code> (and optionally error<\/code>) gives mobile developers a predictable structure across endpoints.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
5 – Rate Limiting & Security<\/strong><\/h2>\n\n\n\n
Mobile APIs are public-facing. Apply strict throttle<\/code> limits to prevent brute force and abuse.<\/p>\n\n\n
\/\/ routes\/api.php (snippet)<\/span>\nRoute::middleware('throttle:60,1'<\/span>)->prefix('v1'<\/span>)->group(function<\/span> ()<\/span> <\/span>{\n    \/\/ all endpoints here are limited to 60 per minute per IP<\/span>\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Use the throttle<\/code> middleware globally or per route group. Adjust per your scale. Combine with auth:sanctum<\/code> so only authenticated clients can access sensitive endpoints.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
6 – Push Notifications Hook (Optional)<\/strong><\/h2>\n\n\n\n
Mobile apps often expect notifications. While Laravel doesn\u2019t send push directly, you can store device tokens and call FCM (Firebase) or APNs (Apple) APIs.<\/p>\n\n\n
\/\/ database\/migrations\/...create_device_tokens.php<\/span>\nSchema::create('device_tokens'<\/span>, function<\/span> (Blueprint $table)<\/span> <\/span>{\n    $table->id();\n    $table->foreignId('user_id'<\/span>)->constrained()->cascadeOnDelete();\n    $table->string('token'<\/span>)->unique(); \/\/ FCM\/APNs token<\/span>\n    $table->string('platform'<\/span>); \/\/ ios \/ android<\/span>\n    $table->timestamps();\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Saving device tokens per user allows you to target them with push via FCM\/APNs when certain backend events fire (new message, order shipped, etc.).<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
7 – Example Mobile Response<\/strong><\/h2>\n\n\n\n
Here\u2019s a sample JSON payload mobile clients would consume from a protected endpoint:<\/p>\n\n\n
{\n  \"status\"<\/span>: \"ok\"<\/span>,\n  \"data\"<\/span>: {\n    \"user\"<\/span>: {\n      \"id\"<\/span>: 1<\/span>,\n      \"name\"<\/span>: \"Alice\"<\/span>,\n      \"email\"<\/span>: \"alice@example.com\"<\/span>\n    },\n    \"posts\"<\/span>: [\n      {\n        \"id\"<\/span>: 101<\/span>,\n        \"title\"<\/span>: \"Hello World\"<\/span>,\n        \"body\"<\/span>: \"This is the first post...\"<\/span>\n      }\n    ]\n  }\n}<\/code><\/span>Code language:<\/span> JSON \/ JSON with Comments<\/span> (<\/span>json<\/span>)<\/span><\/small><\/pre>\n\n\n
This structure is predictable, easy to parse, and extendable. Even when you add new fields, older mobile clients won\u2019t break if they ignore them.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
You built a mobile-ready backend: token auth with Sanctum, versioned endpoints, resource-based JSON, rate limiting, and optional push integration. This setup ensures your iOS\/Android apps can consume data securely and reliably. Stick to consistent JSON schemas and evolve with versioning when breaking changes are unavoidable.<\/p>\n\n\n\n\n
<\/div>\n\n\n\n\n
What\u2019s Next<\/h2>\n\n\n\n