Laravel Package Tyro: API Roles/Privileges Example

Laravel Daily| 00:06:43|Feb 18, 2026

Chapters9

Introduces Tyro as a Laravel package for authentication and authorization with roles and privileges.

Tyro for Laravel adds API-level roles and privileges with a robust set of features, shown via a practical admin vs. user demo in Laravel 12.

Summary

Hassin Haidider’s Tyro package is showcased by Laravel Daily as a powerful authentication, authorization, and permission solution built for APIs. The video walks through a fresh Laravel 12 project, installing Tyro with composer require and tyro install, which creates multiple tables (roles, privileges, pivot tables) and seeds sample data. You’ll see how to prepare the User model to use Tyro traits, and a real-world example using VS Code for editing rather than Cursor. After logging in via the API (Postman, bearer token), the creator demonstrates making requests to read posts and then create a post as an admin, followed by attempting the same as a regular user to highlight privilege checks. The demo highlights that storing a post requires the appropriate privilege, and that a 403 HTML response becomes a JSON 403 when Accept: application/json is used. The video refers to Tyro’s extensive documentation and a separate website, noting that default roles and permissions can be extended with features like user suspension. Finally, the host points to the Laravel Daily catalog of packages, including how Tyro has earned over 500 GitHub stars and is included among recommended Laravel packages. The overall takeaway is that Tyro aims to be a “spotty Laravel permissions” solution with many options beyond the basics. Would you consider Tyro for your next API-driven project?

Key Takeaways

Running composer require and tyro install on a fresh Laravel 12 project creates tables for rows, privileges, and a pivot with timestamps, plus seeders for initial data.
User model must include HasTyro (e.g., use HasTyro) to enable Tyro roles and permissions, enabling role-based access in API routes.
Logging in via Tyro’s API returns a token used for subsequent requests; protected routes enforce privileges for actions like creating posts.
Creating a post as an admin succeeds, while attempting the same action with a regular user yields 403 Forbidden, illustrating privilege checks.
Tyro’s docs (and separate website) describe defaults, extendable roles/privileges, and features like user suspension beyond basic permissions.
Laravel Daily notes Tyro’s popularity (500+ GitHub stars) and features a curated list of Laravel packages for discovery and comparison.

Who Is This For?

Developers building API backends with Laravel who want a battle-tested, feature-rich permissions system and an easier path to role-based access control beyond Laravel’s core gates and policies.

Notable Quotes

"Login API route with email and password. And here I am in my Postman API client and I will send the post request with those values."

—Demonstrating how Tyro issues a login token for API access.

"We get the token. And with that token, I guess we need to copy that and then make all the requests with that token."

—Explaining token-based authorization workflow for subsequent API calls.

"To store the post the rules are in the post request. So we have title and body."

—Showing how privilege checks govern write operations like creating posts.

"Access denied 403 forbidden because that user doesn't have that privilege."

—Illustrating the enforcement of privileges for non-admin users.

"Tyro package has actually a lot of features. You can see the list here. 40 plus artisan commands is impressive alone."

—Highlighting the breadth of Tyro's capabilities and tooling.

Questions This Video Answers

How does Tyro integrate with Laravel Sanctum for API authentication?
Can I seed roles and privileges in Tyro and then assign them to users automatically?
What are the steps to protect an API route with Tyro privileges in Laravel 12?
How does Tyro handle admin versus regular user permissions for CRUD actions?
Is Tyro worth it for small projects or only large applications with complex access control?

Laravel TyroLaravel SanctumAPI authenticationRoles and permissionsPostman API requestsDatabase seeds (roles, privileges, users)Pivot tables (user_roles, privilege_role)VS Code vs Cursor editingLaravel 12

Full Transcript

Hello guys, today I want to show demonstrate to you a laravel package called Tyro by Hassin Haidider from Bangladesh and it is presented as a powerful authentication authorization role and privilege solution. Interestingly, I saw this package roughly a month ago in an article on Laravel news as production ready APIs package. So in this video I will actually try to show both in a demo project. We will create API with roles and permissions. So the package has actually a lot of features. You can see the list here. 40 plus artisan commands is impressive alone. But let's try to scratch the surface and see what it does in a nutshell. For that we will run two commands. Compose require and tyro install. So here I am in a totally fresh Laravel 12 project. I run composer require and then as you can see the dependency is laravel sanctum. And now if run tyro install running install API for us like we would run install API from Laravel and see there are quite a few database tables created with that and let's seed Tyro rows I will choose yes and yeah we have seeders for rows privileges which is the same as permissions in this case and users install complete what now the next step is to prepare your user model which is again artisan command which adds has tyro roles inside. You can add it manually. So the end result should be something like this. User model has tyro in the use section and in here. By the way, side note, I'm trying VS code as my editor because I was using cursor. But then notice that I may not need a subscription of cursor since I'm using cloud code for aentic coding and for viewing and editing code. I think VS Code as a free solution could be just enough. So this video is shot with VS Code. Now if we take a look at the database, here's what was seated. So we have rows from the system. Then we have privileges and a privilege role. Pivot table with timestamps. And then we have users default tyro admin and also user roles which is untypical pivot table name. It would be ro user but in this case it's user roles with foreign keys to both of those users and roles tables. Now how can we log in with that Tyro admin? Let's try the API route. According to the docs of Tyro, we can do something like this. Login API route with email and password. And here I am in my Postman API client and I will send the post request with those values. And we get the token. And with that token, I guess we need to copy that and then make all the requests with that token. And for that I created specifically one API route or in fact one API CRUD post controller index store and others in the routes API which is just simple getting the posts which are in the database the post model nothing really fancy there's also resource API resource here but we're not talking about API functionality we're talking about privileges so let's try to get the posts list with that admin user so here's my request API post And in the authorization bear token, I pasted the one that I got from the login we send and we get the data as we're logged in as that admin. The post are already in the database and look like this. So exactly what is expected. But now let's try to create a new post with admin and later we will try to create a new post with regular user which I seeded from Laravel test example comb who doesn't have the role of admin or its privileges with privileges. There's also API to manage those privileges. You can create privileges from the admin but I will do that manually in the database. So just in that database table I will duplicate that line and do posts create and slug create dot post description create post something like that and we will give that privilege id six to the role of super admin. So duplicate that one and privilege six. Okay to store the post the rules are in the post request. So we have title and body. So this is my postman request to create the post again with authorization with bear token with body title and body and let's see if it is successful and it is we have new ID of the post. Now let's try to do the same with a simple user. So demo post 2 and demo full text 2 but the login will be with different user. So I change the credentials to test example from Laravel. We have the token of test user and we paste that token into create post here in the authorization bearer token. And now if we send let's clear the response and we send and we should get 403. And of course it returns HTML which means I forgot to pass accept application JSON which I tend to do in Postman. we send now and this is the API response access denied 403 forbidden because that user doesn't have that privilege but if we try to get the post with the same users credentials we do have those posts because in the routes API that route is protected only by sanctum and storing post is protected by privileges so yeah a quick demo of that tyro package but documentation is huge a lot of various features and options and a lot of things to read and not only in the GitHub. They also have documentation as a separate website. So, default roles are listed here. So, I will link all of that in the description below if you want to try it out. I would say it's like a package of spotty Laravel permissions, but also more features like user suspension here and a few more details. Again, read that in the docs. What do you think? Would you use something like that in your projects? Apparently, a lot of people are happy with the package because more than 500 GitHub stars should mean something. And also, I added this package to the list of best Laravel packages cured over the years. So, I remind you there's this page on Laravel daily grouped and categorized and showing the GitHub stars and links to the packages all for free and also related videos. If you have something about that package, the videos are here in the description. So, I will link that page in the description below.