Security

Configuring middleware is indeed up to you, but we make it easy to protect your API.

Authorization

Enable the API policy to enforce the now required stream policy against the corresponding model policy method (viewAny, view, create, update, and delete).

// streams/contacts.json
{
    "api.policy": true
}

You can also specify a different policy to use for the API only:

// streams/contacts.json
{
    "api.policy": "App\\Contacts\\ContactApiPolicy"
}

Fallback Authorization

If you would like to run authorization even if no streams or route policy is specified; you can configure a fallback policy.