Tyro is an API package for building production-ready APIs in Laravel. It has a zero-config setup with authentication, authorization, privilege management, 40+ Artisan commands, and battle-tested security. You can use this package to quickly ship secure APIs in Laravel.
Using Tyro's built-in roles and privileges, you can protect routes using the roles, privilege, and privileges middleware:
use Illuminate\Support\Facades\Route; // Require authenticationRoute::middleware(['auth:sanctum']) ->get('/profile', ProfileController::class); // Require specific roleRoute::middleware(['auth:sanctum', 'role:admin']) ->get('/admin/dashboard', AdminDashboardController::class); // Allow any of multiple rolesRoute::middleware(['auth:sanctum', 'roles:admin,editor']) ->post('/articles', ArticleController::class); // Require specific privilegeRoute::middleware(['auth:sanctum', 'privilege:reports.run']) ->get('/reports', ReportController::class); // Allow any of multiple privilegesRoute::middleware(['auth:sanctum', 'privileges:billing.view,reports.run']) ->get('/analytics', AnalyticsController::class);You can also protect API routes using a mix of roles and privileges, called abilities:
// Require ALL abilities (roles and/or privileges)Route::middleware(['auth:sanctum', 'ability:admin,reports.run']) ->post('/reports/export', ReportExportController::class); // Allow ANY abilityRoute::middleware(['auth:sanctum', 'abilities:admin,super-admin,reports.run']) ->get('/reports/advanced', AdvancedReportController::class);Here's an example of logging in and getting an API token out of the box after installing Tyro:
curl -X POST http://tyro-demo.test/api/login \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d '{"email":"admin@tyro.project","password":"tyro"}'{ "error": 0, "id": 1, "name": "Tyro Admin", "token": "1|mNYqXI9AfPZw1bppwc3WK1F8WSHNAOnAYqV8RR0Oaa1644f7"} # Use the tokencurl http://tyro-demo.test/api/me \ -H "Authorization: Bearer 1|mNYqXI9AfPZw1bppwc3WK1F8WSHNAOnAYqV8RR0Oaa1644f7"{ "id": 1, "name": "Tyro Admin", "email": "admin@tyro.project", "email_verified_at": null, "created_at": "2025-11-27T02:46:33.000000Z", "updated_at": "2025-11-27T02:46:33.000000Z", "suspended_at": null, "suspension_reason": null}Main Features
- Zero configuration: install and inherit login, registration, profile, role, privileges, and more.
- Security Hardened: Sanctum tokens, suspension workflows, and middleware stack.
- Roles and Privileges: Reusable privileges per-role via HTTP or CLI.
- 40+ CLI Commands: Seed roles, privileges, rotate tokens, suspend users, and more.
- Production Ready: Provides factories, seeders, tests, and an official Postman collection.
- Fully Extensible: Publish config, migrations, factories, and override Tyro internals as needed.
- Read the documentation for a complete list of features and customizations.
👨💻 The source code is available on GitHub: hasinhayder/tyro
Filed in:
