English Português
Demo ao Vivo
Começar Agora
English Português
Demo ao Vivo Começar Agora

API Reference Overview

SaasKitFy exposes a REST API consumed by the React SPA and available for programmatic access via API keys. All responses are JSON.

Base URL

https://api.yourdomain.com/api

Authentication

The API supports two authentication methods:

  • Sanctum session cookies — Used by the SPA. The browser sends the session cookie automatically after login.
  • Bearer tokens — Used for programmatic access. Pass the token in the Authorization header.
Authorization: Bearer your-sanctum-token

Key Headers

  • Authorization — Bearer token for authenticated requests
  • X-Organization-Id — Specify which organization context to use (optional; defaults to active org)
  • X-Api-Key — API key for programmatic access (alternative to Bearer token)
  • Content-Typeapplication/json for POST/PATCH/PUT requests
  • Acceptapplication/json (always include this)

Request Format

Send JSON in the request body for POST, PATCH, and PUT requests:

curl -X POST https://api.yourdomain.com/api/projects \
  -H "Authorization: Bearer your-token" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{"name": "My Project", "status": "backlog"}'

Response Format

Successful responses return JSON with appropriate HTTP status codes:

// 200 OK — resource retrieved
{
    "id": 1,
    "name": "My Project",
    "status": "backlog",
    "created_at": "2026-01-15T10:30:00Z"
}

// 201 Created — resource created
{
    "id": 2,
    "name": "New Project",
    "status": "backlog"
}

// 204 No Content — resource deleted (empty body)

Error Format

Errors return a consistent JSON structure:

// 422 Validation Error
{
    "message": "The name field is required.",
    "errors": {
        "name": ["The name field is required."],
        "email": ["The email must be a valid email address."]
    }
}

// 401 Unauthorized
{
    "message": "Unauthenticated."
}

// 403 Forbidden
{
    "message": "This action is unauthorized."
}

// 404 Not Found
{
    "message": "Resource not found."
}

Rate Limiting

API requests are rate-limited. The response headers include rate limit information:

  • X-RateLimit-Limit — Maximum requests per window
  • X-RateLimit-Remaining — Requests remaining in current window
  • Retry-After — Seconds until the rate limit resets (only on 429 responses)

OpenAPI Specification

A machine-readable OpenAPI spec is available at:

GET /api/openapi.yaml

You can import this into tools like Postman, Insomnia, or any OpenAPI-compatible client.

Route Groups

  • /api/auth/* — Registration, login, password reset, MFA, email verification
  • /api/user/* — Profile, password change, MFA setup
  • /api/organizations/* — CRUD, switching active org
  • /api/members/* — Members, invitations, role changes
  • /api/billing/* — Subscriptions, invoices, billing portal
  • /api/api-keys/* — API key management
  • /api/webhooks/* — Webhook endpoint management
  • /api/admin/* — Admin panel endpoints (super admin only)
  • /api/notifications/* — In-app notifications
Previous Example Module Next Auth Endpoints