-
POST
/api/v1/login- Request:
{ "email": "user@example.com", "password": "secret" } - Response:
{ "token": "<sanctum-token>", "expires_at": "2026-07-14T00:00:00Z" } - Uses Laravel Sanctum token guard.
- Request:
-
POST
/api/v1/logout- Header:
Authorization: Bearer <token> - Revokes the token.
- Header:
-
GET
/api/v1/workspaces- Returns a paginated list of workspaces the authenticated user belongs to.
-
POST
/api/v1/workspaces- Request:
{ "name": "Acme Corp" } - Creates a new workspace; the creator becomes the admin.
- Request:
-
GET
/api/v1/workspaces/{workspace}- Returns workspace details, members, and roles.
-
PUT
/api/v1/workspaces/{workspace}- Update workspace name or other mutable attributes.
-
DELETE
/api/v1/workspaces/{workspace}- Only admin can delete; removes all related projects/tasks.
-
POST
/api/v1/workspaces/{workspace}/invite- Request:
{ "email": "new@member.com", "role": "member" } - Sends an invitation email; recipient must accept via
/api/v1/invitations/{token}/accept.
- Request:
-
GET
/api/v1/workspaces/{workspace}/projects- List projects for a workspace.
-
POST
/api/v1/workspaces/{workspace}/projects- Request:
{ "name": "New Project" }
- Request:
-
GET
/api/v1/workspaces/{workspace}/projects/{project}- Project details.
-
PUT
/api/v1/workspaces/{workspace}/projects/{project}- Update project name, description, etc.
-
DELETE
/api/v1/workspaces/{workspace}/projects/{project}- Deletes project and all its tasks.
-
GET
/api/v1/workspaces/{workspace}/projects/{project}/tasks- Supports filtering & sorting:
?status=done?assignee=me?sort=priority
- Supports filtering & sorting:
-
POST
/api/v1/workspaces/{workspace}/projects/{project}/tasks- Request example:
{ "title": "Design landing page", "description": "Create high‑fidelity mockups", "priority": "high", "status": "todo", "assignee_id": 5 }
- Request example:
-
GET
/api/v1/workspaces/{workspace}/projects/{project}/tasks/{task}- Returns the task with related
projectandworkspacedata.
- Returns the task with related
-
PUT
/api/v1/workspaces/{workspace}/projects/{project}/tasks/{task}- Update any mutable field (title, description, status, priority, assignee).
-
DELETE
/api/v1/workspaces/{workspace}/projects/{project}/tasks/{task}- Removes the task.
-
POST
/api/v1/workspaces/{workspace}/projects/{project}/tasks/{task}/move- Request:
{ "status": "in_progress" } - Triggers the
TaskMovedevent, broadcasting to theworkspace.{id}private channel.
- Request:
-
Private
workspace.{workspaceId}– members receive notifications for:TaskMovedTaskAssignedTaskCommented
-
Presence
task.{taskId}– shows a list of users currently viewing a task (payload includesid,name,email).
All endpoints are protected by role‑based policies (admin, member, viewer).
All API errors follow a consistent JSON envelope:
{
"error": {
"code": 403,
"message": "Forbidden",
"details": []
}
}Validation errors return HTTP 422 with an errors object.
- 60 requests/minute per token on all
/api/v1/*routes. - Auth endpoints have a stricter 5 attempts/60 seconds limit on login to protect against brute‑force.