rest-api-with-lumen's Introduction

REST API with Lumen 5.5 Build Status

A RESTful API boilerplate for Lumen micro-framework. Features included:

  • Users Resource
  • OAuth2 Authentication using Laravel Passport
  • Scope based Authorization
  • Validation
  • Repository Pattern
  • API Response with Fractal
  • Pagination
  • Seeding Database With Model Factory
  • Event Handling
  • Sending Mail using Mailable class
  • CORS Support
  • Rate Limit API Requests
  • Endpoint Tests and Unit Tests
  • Build Process with Travis CI

Getting Started

First, clone the repo:

$ git clone [email protected]:hasib32/rest-api-with-lumen.git

Laravel Homestead

You can use Laravel Homestead globally or per project for local development. Follow the Installation Guide.

Install dependencies

$ cd rest-api-with-lumen
$ composer install

Configure the Environment

Create .env file:

$ cat .env.example > .env

If you want you can edit database name, database username and database password.

Migrations and Seed the database with fake data

First, we need connect to the database. For homestead user, login using default homestead username and password:

$ mysql -uhomestead -psecret

Then create a database:

mysql> CREATE DATABASE restapi;

And also create test database:

mysql> CREATE DATABASE restapi_test;

Run the Artisan migrate command with seed:

$ php artisan migrate --seed

Create "personal access" and "password grant" clients which will be used to generate access tokens:

$ php artisan passport:install

You can find those clients in oauth_clients table.

API Routes

HTTP Method Path Action Scope Desciption
GET /users index users:list Get all users
POST /users store users:create Create an user
GET /users/{user_id} show users:read Fetch an user by id
PUT /users/{user_id} update users:write Update an user by id
DELETE /users/{user_id} destroy users:delete Delete an user by id

Note: users/me is a special route for getting current authenticated user. And for all User routes 'users' scope is available if you want to perform all actions.

OAuth2 Routes

Visit dusterio/lumen-passport to see all the available OAuth2 routes.

Creating access_token

Since Laravel Passport doesn't restrict any user creating any valid scope. I had to create a route and controller to restrict user creating access token only with permitted scopes. For creating access_token we have to use the accessToken route. Here is an example of creating access_token for grant_type password with Postman.

access_token creation

Creating a New Resource

Creating a new resource is very easy and straight-forward. Follow these simple steps to create a new resource.

Step 1: Create Route

Create a new route name messages. Open the routes/web.php file and add the following code:

$route->post('messages', [
    'uses'       => 'MessageController@store',
    'middleware' => "scope:messages,messages:create"
$route->get('messages',  [
    'uses'       => 'MessageController@index',
    'middleware' => "scope:messages,messages:list"
$route->get('messages/{id}', [
    'uses'       => 'MessageController@show',
    'middleware' => "scope:messages,messages:read"
$route->put('messages/{id}', [
    'uses'       => 'MessageController@update',
    'middleware' => "scope:messages,messages:write"
$route->delete('messages/{id}', [
    'uses'       => 'MessageController@destroy',
    'middleware' => "scope:messages,messages:delete"

For more info please visit Lumen Routing page.

Step 2: Create Model and Migration for the Table

Create Message Model inside App/Models directory and create migration using Lumen Artisan command.

Message Model


namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class Message extends Model
     * The database table used by the model.
     * @var string
    protected $table = 'messages';

     * The attributes that are mass assignable.
     * @var array
    protected $fillable = [

Visit Laravel Eloquent Page for more info about Model.

Create migration for messages table

php artisan make:migration create_messages_table --create=messages

Migration file

class CreateMessagesTable extends Migration
    public function up()
        Schema::create('messages', function (Blueprint $table) {
            $table->string('uid', 36)->unique();


For more info visit Laravel Migration page.

Step 3: Create Repository

Create MessageRepository and implementation of the repository name EloquentMessageRepository.



namespace App\Repositories\Contracts;

interface MessageRepository extends BaseRepository



namespace App\Repositories;

use App\Models\Message;
use App\Repositories\Contracts\MessageRepository;

class EloquentMessageRepository extends AbstractEloquentRepository implements MessageRepository
     * Model name.
     * @var string
    protected $modelName = Message::class;

Next, update RepositoriesServiceProvider to bind the implementation:


namespace App\Providers;

use Illuminate\Support\ServiceProvider;
use App\Repositories\Contracts\UserRepository;
use App\Repositories\EloquentUserRepository;
use App\Repositories\Contracts\MessageRepository;
use App\Repositories\EloquentMessageRepository;

class RepositoriesServiceProvider extends ServiceProvider
     * Indicates if loading of the provider is deferred.
     * @var bool
    protected $defer = true;

     * Register any application services.
     * @return void
    public function register()
        $this->app->bind(UserRepository::class, function () {
            return new EloquentUserRepository(new User());
        $this->app->bind(MessageRepository::class, function () {
            return new EloquentMessageRepository(new Message());

     * Get the services provided by the provider.
     * @return array
    public function provides()
        return [

Visit Lumen documentation for more info about Service Provider.

Step 4: Create Fractal Transformer

Fractal provides a presentation and transformation layer for complex data output, the like found in RESTful APIs, and works really well with JSON. Think of this as a view layer for your JSON/YAML/etc.

Create a new Transformer name MessageTransformer inside app/Transformers directory:


namespace App\Transformers;

use App\Models\Message;
use League\Fractal\TransformerAbstract;

class MessageTransformer extends TransformerAbstract
    public function transform(Message $message)
        return [
            'id'        => $message->uid,
            'userId'    => $message->userId,
            'subject'   => $message->subject,
            'message'   => $message->message,
            'createdAt' => (string) $message->created_at,
            'updatedAt' => (string) $message->updated_at,

Visit Fractal official page for more information.

Step 5: Create Policy

For authorization we need to create policy that way basic user can't show or edit other user messages.



namespace App\Policies;

use App\Models\User;
use App\Models\Message;

class MessagePolicy
     * Intercept checks.
     * @param User $currentUser
     * @return bool
    public function before(User $currentUser)
        if ($currentUser->isAdmin() && (!$currentUser->tokenCan('basic') || $currentUser->tokenCan('undefined'))) {
            return true;

     * Determine if a given user has permission to show.
     * @param User $currentUser
     * @param Message $message
     * @return bool
    public function show(User $currentUser, Message $message)
        return $currentUser->id === $message->userId;

     * Determine if a given user can update.
     * @param User $currentUser
     * @param Message $message
     * @return bool
    public function update(User $currentUser, Message $message)
        return $currentUser->id === $message->userId;

     * Determine if a given user can delete.
     * @param User $currentUser
     * @param Message $message
     * @return bool
    public function destroy(User $currentUser, Message $message)
        return $currentUser->id === $message->userId;

Next, update AuthServiceProvider to use the policy:

Gate::policy(Message::class, MessagePolicy::class);

And add scopes to Passport::tokensCan:

    'messages' => 'Messages scope',
    'messages:list' => 'Messages scope',
    'messages:read' => 'Messages scope for reading records',
    'messages:write' => 'Messages scope for writing records',
    'messages:create' => 'Messages scope for creating records',
    'messages:delete' => 'Messages scope for deleting records'

Visit Lumen Authorization Page for more info about Policy.

Last Step: Create Controller

Finally, let's create the MessageController. Here we're using MessageRepository, MessageTransformer and MessagePolicy.


namespace App\Http\Controllers;

use App\Models\Message;
use App\Repositories\Contracts\MessageRepository;
use Illuminate\Http\Request;
use App\Transformers\MessageTransformer;

class MessageController extends Controller
     * Instance of MessageRepository.
     * @var MessageRepository
    private $messageRepository;

     * Instanceof MessageTransformer.
     * @var MessageTransformer
    private $messageTransformer;

     * Constructor.
     * @param MessageRepository $messageRepository
     * @param MessageTransformer $messageTransformer
    public function __construct(MessageRepository $messageRepository, MessageTransformer $messageTransformer)
        $this->messageRepository = $messageRepository;
        $this->messageTransformer = $messageTransformer;


     * Display a listing of the resource.
     * @param Request $request
     * @return \Illuminate\Http\JsonResponse
    public function index(Request $request)
        $messages = $this->messageRepository->findBy($request->all());

        return $this->respondWithCollection($messages, $this->messageTransformer);

     * Display the specified resource.
     * @param $id
     * @return \Illuminate\Http\JsonResponse|string
    public function show($id)
        $message = $this->messageRepository->findOne($id);

        if (!$message instanceof Message) {
            return $this->sendNotFoundResponse("The message with id {$id} doesn't exist");

        // Authorization
        $this->authorize('show', $message);

        return $this->respondWithItem($message, $this->messageTransformer);

     * Store a newly created resource in storage.
     * @param Request $request
     * @return \Illuminate\Http\JsonResponse|string
    public function store(Request $request)
        // Validation
        $validatorResponse = $this->validateRequest($request, $this->storeRequestValidationRules($request));

        // Send failed response if validation fails
        if ($validatorResponse !== true) {
            return $this->sendInvalidFieldResponse($validatorResponse);

        $message = $this->messageRepository->save($request->all());

        if (!$message instanceof Message) {
            return $this->sendCustomResponse(500, 'Error occurred on creating Message');

        return $this->setStatusCode(201)->respondWithItem($message, $this->messageTransformer);

     * Update the specified resource in storage.
     * @param Request $request
     * @param $id
     * @return \Illuminate\Http\JsonResponse
    public function update(Request $request, $id)
        // Validation
        $validatorResponse = $this->validateRequest($request, $this->updateRequestValidationRules($request));

        // Send failed response if validation fails
        if ($validatorResponse !== true) {
            return $this->sendInvalidFieldResponse($validatorResponse);

        $message = $this->messageRepository->findOne($id);

        if (!$message instanceof Message) {
            return $this->sendNotFoundResponse("The message with id {$id} doesn't exist");

        // Authorization
        $this->authorize('update', $message);

        $message = $this->messageRepository->update($message, $request->all());

        return $this->respondWithItem($message, $this->messageTransformer);

     * Remove the specified resource from storage.
     * @param $id
     * @return \Illuminate\Http\JsonResponse|string
    public function destroy($id)
        $message = $this->messageRepository->findOne($id);

        if (!$message instanceof Message) {
            return $this->sendNotFoundResponse("The message with id {$id} doesn't exist");

        // Authorization
        $this->authorize('destroy', $message);


        return response()->json(null, 204);

     * Store Request Validation Rules
     * @param Request $request
     * @return array
    private function storeRequestValidationRules(Request $request)
       return [
           'userId'     => 'required|exists:users,id',
           'subject'    => 'required',
           'message'    => 'required',

     * Update Request validation Rules
     * @param Request $request
     * @return array
    private function updateRequestValidationRules(Request $request)
        return [
            'subject'    => '',
            'message'    => '',

Visit Lumen Controller page for more info about Controller.


To see the step-by-step tutorial how I created this boilerplate please visit our blog


Contributions, questions and comments are all welcome and encouraged. For code contributions submit a pull request.


Taylor Otwell, Shahriar Mahmood, Fractal, Phil Sturgeon


MIT license

rest-api-with-lumen's Issues

after generate token issue retrive data user

hi after accessToken..
i try to get data user but always non authorized..

this is my sample :

GET /public/index.php/users/2 HTTP/1.1
Host: restapi.local
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijk5YzdhYTYyZmI1YjBkYTg4MjNlZjZlNTJjMGQ4OTkwM2MwMTc4NTk2Y2FiZDJjYWExMzM4ZDk5YjIyOGZjNzQ0YjEwMjBmNjYyYzk5MWJmIn0.eyJhdWQiOiIyIiwianRpIjoiOTljN2FhNjJmYjViMGRhODgyM2VmNmU1MmMwZDg5OTAzYzAxNzg1OTZjYWJkMmNhYTEzMzhkOTliMjI4ZmM3NDRiMTAyMGY2NjJjOTkxYmYiLCJpYXQiOjE1NjM3NzQwNTQsIm5iZiI6MTU2Mzc3NDA1NCwiZXhwIjoxNTk1Mzk2NDU0LCJzdWIiOiIxIiwic2NvcGVzIjpbIioiXX0.gWPL6OLI71iiMwkZ9HPWc9puupuNAui17mvYu_Qtnd8CtS8tMlTlE3wpUHQ-CLuhP5qHskKBcNYgBBLItx0ptwoVvWOZ1_daDH-OTEMYeaeQAvq5ZoApirMNBFvydCgcfUuY6rKdPb2TS7twB0BSxX7ElAJoKRv6DDS9U0oWFO6sR7PcivJ8waChz_myEgZVRfqgB2dvnVORJz6jxsYJMWYd1x0J6lFFDvVuDvzpM2aJHUPzNUwBDzXyThqbzMiFqdOMC7t-7KGq38Uq1xinWGCR_1lm4tj_HV1jPaoIWrG-OnRgs80nkvg57Cpt5Qrbbg6OpbdjuKamfFJc0GzZop2hx9s_nZTZRINkfDZsZzLsVhs6eKn8fgRrmVnap8u_auzRAkeGerl7hh83_aXB3mn_9qf7eyxKW36DLqsTE-n8Uyn6ogq4RRrC2U7hkTA4ijZ3XrhX7k-NYzL4I3EiYpgL3ue_XZxWGfWleVi5mFGJSYfRoL6EU82aD1QMj7cACbi6gTL2ptTAcoBxyjas3d3pgIgN5uRBWXViLC_quc7s2PlOynB4sVvlme-YvIxelThywWVvARjmJs3xvyYeVsCRZchb5GkioJP6DgjA8RS18o__vyW1wUP_i3n8VKissmRparzS0_UcJ0gwvS5AyEY1_1Rf_YkqOhzlM8xKxG8
User-Agent: PostmanRuntime/7.15.0
Accept: /
Cache-Control: no-cache
Postman-Token: 105b3366-ae0b-480a-a409-891b8d28de9d,86f55e9a-1681-401e-a6d8-a009fd29c084
Host: restapi.local
accept-encoding: gzip, deflate
Connection: keep-alive
cache-control: no-cache

Autoload file not generate


I have clone repository and write command composer update, 5 folder added in vendor folder but autoload file not generated

Warning: require_once(D:\xampp\htdocs\rest-api-with-lumen\bootstrap/../vendor/autoload.php): failed to open stream: No such file or directory in D:\xampp\htdocs\rest-api-with-lumen\bootstrap\app.php on line 3

Fatal error: require_once(): Failed opening required 'D:\xampp\htdocs\rest-api-with-lumen\bootstrap/../vendor/autoload.php' (include_path='D:\xampp\php\PEAR') in D:\xampp\htdocs\rest-api-with-lumen\bootstrap\app.php on line 3

please help

How to call event in new Lumen

In /app/Repositories/EloquentUserRepository.php

The correct use of Event in Laravel/Lumen is:

\Event::fire(new UserCreatedEvent($user));


event(new UserCreatedEvent($user));

And my IDE dont know who is \Event in the first case (PhpStorm)

Rename table user

Is it possible to rename the table users ?
I already have a user table for my admin panel.


Implicit Grant ability

How to enable the Implicit Grant. Is it just adding enableImplicitGrant method to the AuthServiceProvider, much like in the docs?

user route

In your readme you're talking about /user instead of /users for creating new user. But i can't find in code where to find this special route. found /me in usercontroller. So i wonder if it's just a typo or if i don't know where to search.


Refresh Token Problem

How can I refresh my token with only sending refresh token? Is there anything for that?

No getting information

After getting the accessToken without any problem, how can I get another information from API. For example I trying to get the information of current user doing this:

screenshot from 2017-07-29 11-41-49
screenshot from 2017-07-29 11-43-02

But I am getting this when I use http://localhost/users/me:

{ "status": 405, "message": "Method Not Allowed" }


{ "status": 401, "message": "Unauthorized" }
Also If I want to save new user or update. If someone has done this, can you share it. Thank you

rest route patch

I didn't see "patch" method in route , only have "put" to update resources.
Should I add patch to update resources in partly?

understanding the use of the accesstokencontroller

hello i have a issue with the accesstoken controller

as far i can understand we are using the token for accesstokencontroller as the token for the entire application right

that is my login or im missing the point ?

Upgrade to lumen 5.5


The project looks interesting. I'm going to use it for one project, but I'm not sure if I need to use the previous version. Do you have any plans to upgrade it to 5.5? Should I wait or can start using current version.

Thanks in advance.


When ever i try to work with docker-compose i get the below error, can you please guide me a little what images should i use?

ERROR: Version in "./docker-compose.yml" is unsupported. You might be seeing this error because you're using the wrong Compose file version. Either specify a version of "2" (or "2.0") and place your service definitions under the serviceskey, or omit theversionkey and place your service definitions at the root of the file to use version 1. For more on the Compose file format versions, see

update readme

update app\Providers\RepositoriesServiceProvider.php :

use App\Repositories\Contracts\MessageRepository;
use App\Repositories\EloquentMessageRepository;

Private/Public Key exchange

Hi @hasib32

First of all I would thank you for this boilerplate really awesome.

Quick Question can you please pont me to the right directions how I can implement the private/public key exchange on your boilerplate? I have very limited info regarding this.


Getting 404 on every request

First of all thanks for putting this boilerplate together.

I've gone through the setup guide but I keep getting 404's on every request. I'm not running the project using homestead, instead I want to be able to just go to http://localhost/project-name/public but this returns a 404.

Am I missing a step? Any help is greatly appreciated.

I have issue installing it

Hi there when I run:
php artisan passport:install
There are no commands defined in the "passport" namespace.

Tried the project, but got 404 error

Initially, I tried to follow the tutorial with Lumen 5.5, it failed for some errors I could not figure out. Then I cloned this repo, I tried to get access token with Postman, but all I got is:

{"status":404,"message":"The requested resource was not found"}

What could be the problem? Thanks.

[NEED HELP] "Insufficient privileges to perform this action", other than users:list

I've got the response ("Insufficient privileges to perform this action") towards the api_token when try to register or login. i don't know what went wrong
register method:
login method:
I've had:

  1. migrate and seed
  2. passport:install
  3. register or login and accessing UserController@show,update,destroy by passing the retrieved token
  4. An example accessing UserController@show, got error:

Note: UserController@store hasn't tested yet

Update: when I comment the this->authorize() for each given methods, it works. means there's something wrong in the policy. what should I do next?

I have a question

Hi, I met a question to developing update password function. But the user's password was set "hidden" in model file, how can I verified my input value is the hidden password's value?
In the backend, can I acquired this hidden user's password ? Thanks

How does this work ?


I have a slight problem to understand how to make this work.

First how can a user register via my api ? If to use the POST /user route you have to be authentified ?

Secondly, I extract it from the group of routes who need to be auth to be use, so I create a user, but how this new freshly created user can access the api ?

This user needs to get an access token, and to get it this user needs a client_id and a client_secret, how do I provide him that ?

I'm a bit lost... :/

get current user

Hello, is there any logic to get currently loggedin user. something like /user/me

Issue to create access Token


first of all a lot of thanks for the tuto on devops ans this repo git;
I'm trying to get an access Token with postman:


If i'm right, something missing in the "headers" section.
And i choose client_id "2", in reference at the table "oauth_clients" for "Password Grant Client".

What am i do wrong?
Could you please help me?


Issue with Scopes

I think that using scopes for "Basic" and "Admin" user roles is incorrect. Scopes are really just the permissions for the current user. So if I am a Basic user I will never have to use the Admin scope. Maybe if I am an Admin and I have a Basic scope this will mean that I can only access my files, profile and just personal records, not all of them. With scopes, you restrict the access of the token for a given user.

You have a check in accessToken controller for the scope, but it could be easily passed if some makes a request directly to /oauth/token. And also you cannot give extra scopes this way.

If you agree with me I could try to make a Pull Request with my versions of scopes when I have time..

Problem with Mocking Repository Model

I have a problem mocking the Model of a Repository. Now the class is directly used in your code and the only way to Mock it is to overwrite it using Reflection, which is not the best practice.

protected $modelName = User::class;

Isn't it better to use the assignment in the construction like:

public function __construct(Model $model)
    $this->model = $model;
    $this->loggedInUser = $this->getLoggedInUser();

Please tell me what you think about this approach.

Invalid Credentials

I am running your tutorial, but I could not get the accessToken. This is the response that I received. I am trying with severals of emails registered in the database (fake data) with the password: test-password but i am getting this response

{ "error": "invalid_credentials", "message": "The user credentials were incorrect." }

Can't run

php artisan migrate --seed
php -S ....
always show this as below

Target [Illuminate\Contracts\Http\Kernel] is not instantiable.

i am gettin error message


when I install it on my server I ma getting this error message. please help to fix it.

BindingResolutionException in Container.php line 804:
Target [Illuminate\Contracts\Http\Kernel] is not instantiable.

in Container.php line 804
at Container->notInstantiable('Illuminate\\Contracts\\Http\\Kernel') in Container.php line 687
at Container->build('Illuminate\\Contracts\\Http\\Kernel') in Container.php line 565
at Container->make('Illuminate\\Contracts\\Http\\Kernel') in Application.php line 208
at Application->make('Illuminate\\Contracts\\Http\\Kernel') in BoundMethod.php line 155
at BoundMethod::addDependencyForCallParameter(object(Application), object(ReflectionParameter), array(), array(object(Request))) in BoundMethod.php line 115
at BoundMethod::getMethodDependencies(object(Application), array(object(ServiceProvider), 'boot'), array()) in BoundMethod.php line 28
at BoundMethod::Illuminate\Container\{closure}() in helpers.php line 912
at value(object(Closure)) in BoundMethod.php line 86
at BoundMethod::callBoundMethod(object(Application), array(object(ServiceProvider), 'boot'), object(Closure)) in BoundMethod.php line 30
at BoundMethod::call(object(Application), array(object(ServiceProvider), 'boot'), array(), null) in Container.php line 524
at Container->call(array(object(ServiceProvider), 'boot')) in Application.php line 176
at Application->register(object(ServiceProvider)) in app.php line 101
at require('/mnt/Depo/Projects/GazlaWeb/bootstrap/app.php') in index.php line 14

