Properly removing API from Laravel project

Sometimes a development team may decide to remove all API functionality from a Laravel project for various reasons, such as:

• No longer needing any API, and shifting focus to web application with front side.
• Reducing project complexity and cleaning-up the code.
• Reducing potential security issues.
• Improving server resource usage.

In short, if the API features are truly unnecessary, removing it can streamline the project, make maintenance easier, and help the team focus on project’s main goals.

Warning: get a backup from your project. This article assumes the project is under version control.

Steps to remove API functionality and related components

• Verify precondition

  First, we have check if API routes are configured. So run this command in your project's root:

php artisan route:list | grep api

1. If you see any routes listed, it means API is still configured in your project.

2. If there are no results, the API routes may already be removed, or they were never configured. So you can skip this article.

• Remove API routes file
  In Laravel, API routes are defined in routes/api.php. If you no longer need API functionality, delete this file entirely.

  Note: If you have custom WEB routes defined in that file and they are important for the web app, move them to routes/web.php file instead of just deleting everything.

  rm routes/api.php
  

• Remove API route loader in RouteServiceProvider.php
  Open app/Providers/RouteServiceProvider.php file. The API routes are typically loaded in boot() method. Remove it's section where the api.php file is being loaded.

  public function boot()
  {
      $this->routes(function () {
          // Remove or comment this section
          // Route::middleware('api')
          //     ->prefix('api')
          //     ->group(base_path('routes/api.php'));
  
          Route::middleware('web')
              ->group(base_path('routes/web.php'));
      });
  }
  

  After removing these codes, your application will no longer recognize /api routes.

• Remove API middleware in Kernel.php
  Laravel includes middleware for API routes in app/Http/Kernel.php file. You need to remove API middleware group from this file.

  protected $middlewareGroups = [
      'web' => [
          // Web middlewares...
      ],
  
      // Remove or comment this section
      //'api' => [
      //    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
      //     'throttle:api',
      //     \Illuminate\Routing\Middleware\SubstituteBindings::class,
      //],
  ];
  

Note: If you’re using any middleware specifically for API functionality, make sure to remove them from this array.

• Delete API controllers and resources
  In Laravel, API-specific controllers and resources are usually located in app/Http/Controllers/API and app/Http/Resources directories. So delete these directories.

rm -rf app/Http/Controllers/API
rm -rf app/Http/Resources

Note: Check if any of controllers or resources are still needed by web application. If they are, move them to another location like app/Http/Controllers or app/Http/Resources directories.

• Clear caches
  After removing API-related routes, controllers, and middleware, clear all caches to ensure changes take effect:

php artisan optimize:clear

• Configure CORS path
  Laravel uses config/cors.php to configure cross-origin resource sharing. Since you’re removing API functionality, update 'paths' setting in config/cors.php to be empty:

  'paths' => [], // Instead of ['api/*', 'sanctum/csrf-cookie']
  

• Remove Sanctum traits
  If you're using Laravel Sanctum package for API authentication, you need to remove HasApiTokens trait from your User model.

  In app/Models/User.php file, find and remove:

  //use Laravel\Sanctum\HasApiTokens;
  
  class User extends BaseUser
  {
     //use HasApiTokens;
  }
  

• Delete Sanctum and Passport config files
  Delete config/sanctum.php and config/passport.php if they exist.

• Remove Sanctum and Passport references from Tests
  If you wrote tests that involve Sanctum or Passport, you need to remove any references to them from your test files. So in tests/unit/ and tests/feature/ directories, remove any references to Sanctum and Passport.

• Drop personal access tokens table
  If you were storing personal access tokens in the database (for Sanctum or Passport), you need to drop personal_access_tokens table. You can do this manually or with a migration rollback.

  In your terminal:

  php artisan migrate:rollback
  

  Or, if you prefer, you can manually drop the table in your database:

  DROP TABLE personal_access_tokens;
  

  Also comment out it's related codes:

  //DB::table('personal_access_tokens')->truncate();
  

• Remove Sanctum and Passport packages
  Run the following Composer commands to remove Sanctum and Passport packages from your project:

  composer remove laravel/sanctum
  composer remove laravel/passport
  

  Note: If you're using other packages related to API functionality, make sure to check then remove them.

• Clear all caches again
  Run the following command to ensure all configurations are up-to-date.

  php artisan optimize:clear --force
  

• Verify operation

  Finally, to confirm that API routes were removed, run this command in your project's root:

php artisan route:list | grep api

1. If no results are returned, it means that the API functionality has been completely removed.

2. If you still see routes, check if there are any additional places where API routes may still be registered (such as within third-party packages). Or check your RouteServiceProvider file to make sure API routes are removed from the boot() method.