Web Routes vs API Routes
Laravel separates routes into routes/web.php and routes/api.php because web and API requests have fundamentally different needs. Web routes render HTML with sessions, CSRF protection, and cookie-based authentication. API routes return JSON with stateless token authentication and rate limiting. Understanding this distinction prevents common security vulnerabilities and architecture mistakes that trip up developers moving from other frameworks.
Route File Differences
// routes/web.php — browser requests with sessions & CSRF
Route::get('/', function () {
return view('welcome');
});
Route::get('/dashboard', [DashboardController::class, 'index'])
->middleware('auth');
// routes/api.php — JSON API, stateless, prefixed with /api
Route::get('/users', [UserController::class, 'index']);
// Accessible at: /api/users
Route::middleware('auth:sanctum')->group(function () {
Route::get('/profile', [ProfileController::class, 'show']);
Route::put('/profile', [ProfileController::class, 'update']);
});
// Accessible at: /api/profile
// api.php routes are automatically prefixed with /api
// Configure this prefix in RouteServiceProvider or bootstrap/app.phpMiddleware Groups Explained
- web middleware group (applied to web.php): StartSession (initializes session), ShareErrorsFromSession (shares validation errors), VerifyCsrfToken (CSRF protection on state-changing requests), SubstituteBindings (resolves route model bindings), EncryptCookies, AddQueuedCookiesToResponse
- api middleware group (applied to api.php): ThrottleRequests (rate limiting — 60/min default), SubstituteBindings. No session, no CSRF — stateless by design
- CSRF protection means every POST/PUT/PATCH/DELETE form in web.php needs @csrf or a _token field. API routes skip this because they use token-based auth
- Web authentication uses Auth::attempt() + session. API authentication uses tokens (Sanctum, Passport) sent in the Authorization header as 'Bearer {token}'
- Never mix concerns: don't return JSON from web routes or redirect from API routes. Web routes return views or redirects; API routes return JsonResponse or API resources
When to Use Each
Use web.php for: Server-rendered Blade pages, traditional multi-page apps, pages with forms (login, registration, CRUD operations), Inertia.js routes (even though they return JSON, they use web session auth). Use api.php for: Mobile app backends, Single-Page Application (SPA) APIs, third-party integrations, public REST APIs, microservice endpoints. A common pattern is using web.php for the SPA entry point and api.php for all data fetching — Laravel Breeze with React/Vue uses this architecture.
localStorage persists forever; sessionStorage clears when the tab closes
Tip
Tip
Practice Web Routes vs API Routes in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
Practice Task
Note
Practice Task — (1) Write a working example of Web Routes vs API Routes from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with Web Routes vs API Routes is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready laravel code.
Key Takeaways
- Laravel separates routes into routes/web.
- web middleware group (applied to web.php): StartSession (initializes session), ShareErrorsFromSession (shares validation errors), VerifyCsrfToken (CSRF protection on state-changing requests), SubstituteBindings (resolves route model bindings), EncryptCookies, AddQueuedCookiesToResponse
- api middleware group (applied to api.php): ThrottleRequests (rate limiting — 60/min default), SubstituteBindings. No session, no CSRF — stateless by design
- CSRF protection means every POST/PUT/PATCH/DELETE form in web.php needs @csrf or a _token field. API routes skip this because they use token-based auth