Writing an API in Laravel is extremely easy 👌 It's just as easy returning a response in json format.

Let me dig into a few examples 👇 to show you the best way to secure your data when returning responses from your API.

An Example App

For the sake of keeping this tutorial simple I am going to give you a brief overview of an example Laravel application. In this app, we have run the php artisan migrate command from a new application. This will include a migration for a user table, which contains the following rows.

• id
• name
• email
• email_verified_at
• password
• remember_token
• created_at
• updated_at

Next, let's create a simple endpoint to retrieve a user.

You'll also have to seed your database with a few users in order to test this out. You can manually add a few users or you can use Faker PHP to create some dynamic users.

Simple Endpoint

Let's add the following contents to our routes/api.php:

Route::get('user/{id}', function($id){
    $user = App\Models\User::find($id);
    return response()->json($user);
});

If we visit this route: /user/1, we will get a JSON output, like this:

{
    "id": 1,
    "name": "Michael Jordan",
    "email": "[email protected]",
    "email_verified_at": "2022-06-23T15:17:44.000000Z",
    "created_at": "2022-06-23T15:17:44.000000Z",
    "updated_at": "2022-06-23T15:17:44.000000Z"
}

As you can see we get this 👆 following output, which means that we're seeing all the columns except password and remember_token. This is because those rows have already been secured or hidden. Let me explain below 👇

Securing Endpoints

If we open up our App\Models\User.php file you'll see the following contents:

Our Amazing Sponsors

View Website

DigitalOcean offers a simple and reliable cloud hosting solution that enables developers to get their website or application up and running quickly.

View Website

Laravel News keeps you up to date with everything Laravel. Everything from framework news to new community packages, Laravel tutorials, and more.

View Website

A Laravel Starter Kit that includes Authentication, User Dashboard, Edit Profile, and a set of UI Components. Learn more about the DevDojo sponsorship program and see your logo here to get your brand in front of thousands of developers.

<?php

namespace App\Models;

use Illuminate\Contracts\Auth\MustVerifyEmail;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Sanctum\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable;

    /**
     * The attributes that are mass assignable.
     *
     * @var array<int, string>
     */
    protected $fillable = [
        'name',
        'email',
        'password',
    ];

    /**
     * The attributes that should be hidden for serialization.
     *
     * @var array<int, string>
     */
    protected $hidden = [
        'password',
        'remember_token',
    ];

    /**
     * The attributes that should be cast.
     *
     * @var array<string, string>
     */
    protected $casts = [
        'email_verified_at' => 'datetime',
    ];
}

The important part to see is the hidden array. This is where you can specify which rows you want to exclude when your data is being returned as a json() response.

Let's say for instance that we did not want the user email to be displayed when we return the response. Simple enough, we can change our hidden array to the following:

protected $hidden = [
    'email',
    'password',
    'remember_token',
];

If we called that same route /users/1, we will get the updated response without the email address:

{
    "id": 1,
    "name": "Michael Jordan",
    "email_verified_at": "2022-06-23T15:17:44.000000Z",
    "created_at": "2022-06-23T15:17:44.000000Z",
    "updated_at": "2022-06-23T15:17:44.000000Z"
}

That's all that you have to do to secure your data when it is fetched from the database. Pretty cool, right 🤙