Back to Homepage

Tyro Documentation

Complete guide to Authentication, Authorization, and Role & Privilege Management for Laravel 12 and 13.

Introduction

Tyro is the ultimate Authentication, Authorization, and Role & Privilege Management solution for Laravel. Think of it as a Swiss Army knife that handles everything from user authentication and fine-grained access control to user suspension workflows.

With native Sanctum integration, 44 powerful CLI commands, specialized Blade directives, ready-made middleware, and optional REST API endpoints, Tyro saves you weeks of development time while providing a robust, enterprise-grade architecture.

✓ Works Everywhere: Tyro is designed for APIs, traditional web apps, and hybrid applications. Use the features you need, disable the ones you don't. Zero lock-in.

Requirements

Before installing Tyro, ensure your environment meets these requirements:

  • PHP: 8.2 or higher
  • Laravel: 12.0 or 13.0
  • Laravel Sanctum: Required (auto-installed)
  • Database: MySQL, PostgreSQL, SQLite, or SQL Server

Installation

Step 1: Install the Package

Require the package globally via Composer:

Terminal 
composer require hasinhayder/tyro

Step 2: Run the Installer

Run the powerful, all-in-one setup command:

Terminal 
php artisan tyro:install

This command automatically:

  • Calls Laravel's install:api to configure Sanctum
  • Runs all required database migrations
  • Seeds default system roles and privileges
  • Wires up your User model with the required Tyro traits
💡 Pro Tip: The installer is idempotent and safe to run multiple times. Use the --force flag in CI/CD pipelines to bypass prompts.

Updating Tyro

When updating Tyro using composer, you must run migrations to apply any potential database schema changes.

Update Sequence 
# Update the package
composer update hasinhayder/tyro

# Run migrations to apply new schema changes
php artisan migrate

Quick Start

After installation, you have a fully functional authentication system. Let's see it in action:

1. Login to the API

cURL 
curl -X POST http://localhost/api/login \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@tyro.project","password":"tyro"}'

2. Protect Your Routes

Immediately start protecting routes using the injected middleware aliases:

routes/web.php 
Route::middleware(['auth', 'role:admin'])
    ->get('/admin/dashboard', DashboardController::class);

3. Check Permissions in Code

Utilize Tyro's fluent API directly on the User model:

Controller.php 
// Check roles explicitly
if ($user->hasRole('editor')) { ... }

// Check granular privileges
if ($user->can('reports.run')) { ... }

Roles & Privileges Architecture

Tyro operates on a pure RBAC (Role-Based Access Control) architecture. Users are assigned Roles (e.g., "admin", "editor"). Roles contain collections of Privileges (e.g., "users.delete", "reports.view"). Users automatically inherit all privileges assigned to their roles.

Default System Roles

Upon installation, Tyro seeds the database with foundational roles:

Role Name Slug Description
Super Admin super-admin Absolute system access. Cannot be deleted via CLI.
Administrator admin Administrative access to manage users, roles, and content.
Editor editor Standard content management privileges.
User user The default role assigned to new registrations.
⚠️ Protection Layer: Roles critical to the system (like admin and super-admin) are protected at the database level and cannot be accidentally deleted via standard API/CLI methods.

Middleware Aliases

Tyro registers 8 powerful middleware aliases for enforcing access control directly at the routing layer.

Middleware Alias Example Syntax Behavior
role role:admin User must have the exact role.
roles roles:admin,editor User must have any one of the listed roles.
privilege privilege:users.delete User must possess the exact privilege.
privileges privileges:x,y User must possess any one of the listed privileges.
ability ability:admin,x User must possess ALL listed abilities (roles or privileges).
abilities abilities:admin,y User must possess ANY of the listed abilities.
tyro.log tyro.log Silently audits and logs the request/response cycle for the route.

Blade Directives

Keep your views clean. Tyro injects 7 native Blade directives to handle UI rendering conditionally based on the authenticated user's access level.

resources/views/dashboard.blade.php 
@hasRole('admin')
    <div>Rendered only for admins</div>
@endhasRole

@hasAnyRole('admin', 'editor')
    <div>Rendered for admins OR editors</div>
@endhasAnyRole

@hasPrivilege('reports.export')
    <button>Export CSV</button>
@endhasPrivilege

{{-- The @userCan directive wraps Laravel's native can() --}}
@userCan('users.delete')
    <button class="text-red-500">Delete</button>
@enduserCan

User Suspension

Never hard-delete a malicious user again. Tyro includes a first-class suspension workflow. When a user is suspended, all of their active Sanctum tokens are instantly revoked, and they are prevented from logging in.

CLI Control 
# Suspend a user with an audit reason
php artisan tyro:user-suspend --user=malicious@email.com --reason="Spam activity"

# View all suspended users
php artisan tyro:user-suspended

# Restore access
php artisan tyro:user-unsuspend --user=malicious@email.com
Programmatic Control 
// Suspend
$user->suspend('Violation of TOS');

// Check status
if ($user->isSuspended()) {
    echo $user->getSuspensionReason();
}

Command Reference Guide

Tyro bundles 44 Artisan commands. Here are the most critical ones for daily management.

User & Role Commands

tyro:role-assign
Attaches a role to a user. Supports interactive prompting if arguments are omitted.
php artisan tyro:role-assign --user=1 --role=admin
tyro:user-roles
Lists all roles currently assigned to a specific user.
php artisan tyro:user-roles 1
tyro:user-privileges
Calculates and lists every single privilege a user has inherited through their roles.
php artisan tyro:user-privileges 1

Token & Auth Commands

tyro:login
Validates credentials and mints a new Sanctum token for the user.
php artisan tyro:login --user=admin@example.com
tyro:auth-me
Allows you to paste a bearer token into the CLI to inspect its owner and abilities.
php artisan tyro:auth-me
tyro:auth-logout-all-users
Emergency command. Revokes EVERY single active token in the database.
php artisan tyro:auth-logout-all-users --force

REST API Endpoints

Tyro optionally provides a full suite of production-ready API endpoints. If you don't need them, set TYRO_DISABLE_API=true in your .env.

Authentication

Method Endpoint Description
POST /api/login Authenticate and receive a Sanctum token
POST /api/users Public registration endpoint
GET /api/me Get the authenticated user's profile and roles

Admin Endpoints (Requires admin role)

Method Endpoint Description
GET /api/users List all registered users
POST /api/users/{id}/suspend Suspend a user account
POST /api/roles Create a new system role
POST /api/users/{id}/roles Assign a role to a user

Immutable Audit Trail

Tyro automatically records an immutable ledger of all critical administrative actions. It tracks Who did what, to whom, and when.

Monitored Events

  • User suspension and restoration (includes reasons)
  • Role assignment and removal
  • Role/Privilege creation, modification, and deletion

Viewing Logs

CLI 
# View the most recent 20 events
php artisan tyro:audit-list

# Filter by specific event type
php artisan tyro:audit-list --event=user.suspended

# Automatic log rotation (purge logs older than 30 days)
php artisan tyro:audit-purge

Need more help? Check the source code or open an issue.

Visit GitHub Repository