Guards and middleware

Guards and middleware control who can hit your table endpoints and under which URL prefix. This is essential for security reviews and debugging 401/403 errors.

Guards — what they are

A guard is Laravel's auth context (api, web, sanctum). The guards config entry lists which guards receive ApiTables routes:

'guards' => ['api', 'web'],

Route prefixes per guard

Route names

ApiTables.api.loadTable
ApiTables.web.queryTableData
ApiTables.api.rowTableAction

Useful for generating URLs in tests: route('ApiTables.api.loadTable', ['tableName' => 'users']).

Default middleware

'default_middlewares' => ['auth:sanctum'],

Applied to every table before your controller runs. Change only if your app uses a different API auth strategy:

'default_middlewares' => ['auth:api'],

Per-table middleware

Restrict sensitive tables to admins:

'tables' => [
    'payroll' => [
        'model' => App\Models\Payroll::class,
        'tableClass' => App\ApiTables\PayrollTable::class,
        'middlewares' => ['admin'],
    ],
],

Supported forms

TablesMiddleware merges: default_middlewares + table middlewares and runs them through Laravel's pipeline.

How TablesMiddleware works (senior)

1. Reads {tableName} from route
2. Loads config("api-tables-config.tables.{tableName}.middlewares")
3. Merges with default_middlewares
4. Resolves aliases, classes, and callables
5. Aborts 404 if tableName missing

Common auth debugging

Example: role-based table

// Only users with 'view-reports' permission
'middlewares' => ['can:view-reports'],

Ensure the permission middleware is registered in your app.

Related

• Configuration overview
• Endpoints overview
• Troubleshooting