fortify-development
Laravel Fortify Development
Fortify is a headless authentication backend that provides authentication routes and controllers for Laravel applications.
Documentation
Use search-docs for detailed Laravel Fortify patterns and documentation.
Usage
- Routes: Use
list-routeswithonly_vendor: trueandaction: "Fortify"to see all registered endpoints - Actions: Check
app/Actions/Fortify/for customizable business logic (user creation, password validation, etc.) - Config: See
config/fortify.phpfor all options including features, guards, rate limiters, and username field - Contracts: Look in
Laravel\Fortify\Contracts\for overridable response classes (LoginResponse,LogoutResponse, etc.) - Views: All view callbacks are set in
FortifyServiceProvider::boot()usingFortify::loginView(),Fortify::registerView(), etc.
Available Features
Enable in config/fortify.php features array:
Features::registration()- User registrationFeatures::resetPasswords()- Password reset via emailFeatures::emailVerification()- Requires User to implementMustVerifyEmailFeatures::updateProfileInformation()- Profile updatesFeatures::updatePasswords()- Password changesFeatures::twoFactorAuthentication()- 2FA with QR codes and recovery codes
Use
search-docsfor feature configuration options and customization patterns.
Setup Workflows
Two-Factor Authentication Setup
- [ ] Add TwoFactorAuthenticatable trait to User model
- [ ] Enable feature in config/fortify.php
- [ ] If the `*_add_two_factor_columns_to_users_table.php` migration is missing, publish via `php artisan vendor:publish --tag=fortify-migrations` and migrate
- [ ] Set up view callbacks in FortifyServiceProvider
- [ ] Create 2FA management UI
- [ ] Test QR code and recovery codes
Use
search-docsfor TOTP implementation and recovery code handling patterns.
Email Verification Setup
- [ ] Enable emailVerification feature in config
- [ ] Implement MustVerifyEmail interface on User model
- [ ] Set up verifyEmailView callback
- [ ] Add verified middleware to protected routes
- [ ] Test verification email flow
Use
search-docsfor MustVerifyEmail implementation patterns.
Password Reset Setup
- [ ] Enable resetPasswords feature in config
- [ ] Set up requestPasswordResetLinkView callback
- [ ] Set up resetPasswordView callback
- [ ] Define password.reset named route (if views disabled)
- [ ] Test reset email and link flow
Use
search-docsfor custom password reset flow patterns.
SPA Authentication Setup
- [ ] Set 'views' => false in config/fortify.php
- [ ] Install and configure Laravel Sanctum for session-based SPA authentication
- [ ] Use the 'web' guard in config/fortify.php (required for session-based authentication)
- [ ] Set up CSRF token handling
- [ ] Test XHR authentication flows
Use
search-docsfor integration and SPA authentication patterns.
Two-Factor Authentication in SPA Mode
When views is set to false, Fortify returns JSON responses instead of redirects.
If a user attempts to log in and two-factor authentication is enabled, the login request will return a JSON response indicating that a two-factor challenge is required:
{
"two_factor": true
}
Best Practices
Custom Authentication Logic
Override authentication behavior using Fortify::authenticateUsing() for custom user retrieval or Fortify::authenticateThrough() to customize the authentication pipeline. Override response contracts in AppServiceProvider for custom redirects.
Registration Customization
Modify app/Actions/Fortify/CreateNewUser.php to customize user creation logic, validation rules, and additional fields.
Rate Limiting
Configure via fortify.limiters.login in config. Default configuration throttles by username + IP combination.
Key Endpoints
| Feature | Method | Endpoint |
|---|---|---|
| Login | POST | /login |
| Logout | POST | /logout |
| Register | POST | /register |
| Password Reset Request | POST | /forgot-password |
| Password Reset | POST | /reset-password |
| Email Verify Notice | GET | /email/verify |
| Resend Verification | POST | /email/verification-notification |
| Password Confirm | POST | /user/confirm-password |
| Enable 2FA | POST | /user/two-factor-authentication |
| Confirm 2FA | POST | /user/confirmed-two-factor-authentication |
| 2FA Challenge | POST | /two-factor-challenge |
| Get QR Code | GET | /user/two-factor-qr-code |
| Recovery Codes | GET/POST | /user/two-factor-recovery-codes |
More from coollabsio/coolify
tailwindcss-development
Always invoke when the user's message includes 'tailwind' in any form. Also invoke for: building responsive grid layouts (multi-column card grids, product grids), flex/grid page structures (dashboards with sidebars, fixed topbars, mobile-toggle navs), styling UI components (cards, tables, navbars, pricing sections, forms, inputs, badges), adding dark mode variants, fixing spacing or typography, and Tailwind v3/v4 work. The core use case: writing or fixing Tailwind utility classes in HTML templates (Blade, JSX, Vue). Skip for backend PHP logic, database queries, API routes, JavaScript with no HTML/CSS component, CSS file audits, build tool configuration, and vanilla CSS.
185pest-testing
Use this skill for Pest PHP testing in Laravel projects only. Trigger whenever any test is being written, edited, fixed, or refactored — including fixing tests that broke after a code change, adding assertions, converting PHPUnit to Pest, adding datasets, and TDD workflows. Always activate when the user asks how to write something in Pest, mentions test files or directories (tests/Feature, tests/Unit, tests/Browser), or needs browser testing, smoke testing multiple pages for JS errors, or architecture tests. Covers: it()/expect() syntax, datasets, mocking, browser testing (visit/click/fill), smoke testing, arch(), Livewire component tests, RefreshDatabase, and all Pest 4 features. Do not use for factories, seeders, migrations, controllers, models, or non-test PHP code.
41livewire-development
Use for any task or question involving Livewire. Activate if user mentions Livewire, wire: directives, or Livewire-specific concepts like wire:model, wire:click, invoke this skill. Covers building new components, debugging reactivity issues, real-time form validation, loading states, migrating from Livewire 2 to 3, converting component formats (SFC/MFC/class-based), and performance optimization. Do not use for non-Livewire reactive UI (React, Vue, Alpine-only, Inertia.js) or standard Laravel forms without Livewire.
41debugging-output-and-previewing-html-using-ray
Use when user says "send to Ray," "show in Ray," "debug in Ray," "log to Ray," "display in Ray," or wants to visualize data, debug output, or show diagrams in the Ray desktop application.
34developing-with-fortify
Laravel Fortify headless authentication backend development. Activate when implementing authentication features including login, registration, password reset, email verification, two-factor authentication (2FA/TOTP), profile updates, headless auth, authentication scaffolding, or auth guards in Laravel applications.
33laravel-actions
Build, refactor, and troubleshoot Laravel Actions using lorisleiva/laravel-actions. Use when implementing reusable action classes (object/controller/job/listener/command), converting service classes/controllers/jobs into actions, orchestrating workflows via faked actions, or debugging action entrypoints and wiring.
5