Skip to main content

Overview

Laravel 13 lets you assign middleware and authorization checks to controllers using PHP attributes. Instead of implementing the HasMiddleware interface or adding can middleware to routes, you simply annotate the class or method.
All controller attributes live in the Illuminate\Routing\Attributes\Controllers namespace.

#[Middleware] — Assigning Middleware

Applying to a Class

A class-level #[Middleware] attribute applies the middleware to every action in the controller.
Stack multiple attributes to apply several middleware:

Applying to a Method

Method-level middleware is merged with any class-level middleware.

only / except Constraints

Use only or except on a class-level attribute to limit which methods it targets.

Closure Middleware

Attributes also accept closures for inline middleware logic.

Comparison with the middleware() Method

When using attributes you do not need to implement HasMiddleware. Avoid mixing the middleware() method with attributes on the same controller to prevent unexpected behavior.

#[WithoutMiddleware] — Excluding Middleware

Remove middleware that was applied at the class level from specific methods or the entire class.

Applying to a Method

Class-Level Exclusion with only / except

#[WithoutMiddleware] only removes route middleware. It cannot remove global middleware registered in app/Http/Kernel.php.

#[Authorize] — Policy Authorization

A convenient shorthand for the can middleware. Declare policy checks directly on controller methods.

Basic Usage

The Second Argument

Comparison with Route Middleware

Practical Example: Full Resource Controller

When to Use Attributes vs. Other Approaches

Next Steps

PHP Attributes (Queues & Eloquent)

PHP attributes for queue jobs and Eloquent models.

Controllers

Learn the basics of Laravel controllers.
Last modified on July 15, 2026