Kit by Steve McDougall is a Laravel API starter kit built around token-based authentication, API documentation, and security-first defaults. It targets developers who want a structured starting point for building versioned JSON APIs without wiring everything up from scratch.
Getting Started
Clone the repository, install dependencies, and run the setup script:
composer installcomposer run setupphp artisan serveThe composer run setup command copies .env.example to .env, generates an app key, and runs migrations against a local SQLite database.
API Architecture
Kit takes a few deliberate architectural positions:
- No global
/apiprefix — routes are versioned directly, e.g./v1/auth/login - Invokable controllers only — each controller is a single
__invokemethod - Form Requests for validation — request payloads are validated in dedicated
FormRequestclasses, with DTO-style payload classes inapp/Http/Payloads/V1 - JSON:API resource format — responses follow a consistent structure for entity data
Authentication
Nine routes handle the full auth lifecycle:
- Registration and login (both return tokens via Laravel Sanctum)
/v1/auth/me(requires Bearer token)- Email verification via signed URLs
- Password reset with anti-enumeration responses (the same response is returned whether or not the email exists)
Security Defaults
Kit includes several security defaults out of the box:
- ULID primary keys for user records
- Predefined rate limits on auth endpoints, configurable in
AppServiceProvider - Mandatory
Content-Type: application/jsonenforcement on write requests - Hardened response headers, including
X-Content-Type-Options: nosniff,X-Frame-Options: DENY, andReferrer-Policy: no-referrer - Request ID tracking
- Audit logging for sensitive operations
- and more
Sunset Middleware
Kit also includes a Sunset middleware for deprecating API endpoints over time. You apply it directly to a route with three parameters: the sunset date, a successor URL, and a boolean to control enforcement:
Route::middleware('sunset:2027-01-01,https://api.acme.com/v2/auth/login,true') ->post('/v1/auth/login', LoginController::class);While the endpoint is still active, the middleware appends Deprecation, Sunset, and Link (successor-version) headers to every response, so API clients can detect the deprecation and plan accordingly. Once the sunset date passes and enforcement is enabled, the endpoint returns 410 Gone.
Documentation
API documentation is generated using Scribe. Annotations are attribute-based rather than docblock-based, and the setup produces an OpenAPI spec alongside the docs.
Localization
Kit respects the Accept-Language request header and responds with a Content-Language header. Supported locales default to en and es, with translation files at lang/en/api.php and lang/es/api.php.
Tooling
The project uses Pest for tests, PHPStan for static analysis, Pint for code formatting, and Rector for automated refactoring. GitHub Actions workflows run CI tests on every push, apply daily dependency updates, and run security scanning with composer audit and Gitleaks.
Requirements
- PHP 8.5+
- Laravel 12
- SQLite (for local development; configurable for other databases)
Visit juststeveking/kit on GitHub to browse the source code and learn more.
