Authorize Broadcast Channel

POST 
/api/broadcasting/auth

Authorizes a Laravel Echo (Reverb WebSocket) private-channel subscription for the SPA.

This is the Bearer-token equivalent of the framework's web /broadcasting/auth route — it runs in the API middleware stack so Personal Access Tokens and the X-Tenant-Id header work. Laravel Echo calls it automatically (authEndpoint); it is documented here for debugging channel subscriptions.

Authorization rules (routes/channels.php):

• Tenancy must be initialized for the request (X-Tenant-Id header on multi-tenant hosts)
• The {tenantId} segment in the channel name must match the active tenant
• The {userId} segment must match the authenticated user
• Un-scoped legacy channels are rejected (fail closed)

Returns a pusher-protocol auth signature the client passes back to Reverb to complete the subscription.

Note: pusher-js sends this request as application/x-www-form-urlencoded.

Request

Responses

200

OK

Response Headers

Content-Type

401

Unauthorized

Response Headers

Content-Type

403

Forbidden

Response Headers

Content-Type