We added the auth middleware to our /api/user/toggle_saved route to protect it from guest users. We also specified the api guard for this middleware, that is, auth:api.
Guards define how users are authenticated and are configured in the following file.
config/auth.php:
<?php return [ ... 'guards' => [ 'web' => [ 'driver' => 'session', 'provider' => 'users', ], 'api' => [ 'driver' => 'token', 'provider' => 'users', ], ], ... ];
Our web routes use the session driver which maintains authentication state using session cookies. The session driver ships with Laravel and works out-of-the-box. API routes, though, use the token ...