This project is a RESTful API built with PHP and Object-Oriented Programming (OOP).
It was created as a learning project to understand how APIs are designed, consumed, and secured using token-based authentication.
The API is currently online and running, and it is also consumed by a Vue.js dashboard implemented in a separate repository: AplicacionVueJs.
Live API endpoint:
https://apirest.pablogaray.com.ar
Role: Backend Developer (PHP)
Type: REST API
Status: Completed
This project was developed to learn:
- How a REST API works internally
- HTTP methods (GET, POST, PUT, DELETE)
- Token-based authentication
- API error handling
- Pagination
- Working with Postman and API testing tools
- Cron jobs for token expiration
- PHP OOP applied to APIs
- API authentication with tokens
- Public vs protected endpoints
- Error responses structure
- Handling headers and request bodies
- Basic security concepts
- API consumption from external applications
- Cron jobs for background tasks
Authenticate a user and receive an access token.
Endpoint
POST https://apirest.pablogaray.com.ar/auth.php
Body (JSON):
{
"user": "[email protected]",
"pass": "password"
}Test credentials:
{
"user": "[email protected]",
"pass": "123456"
}The API returns a token required to access protected endpoints.
Retrieve patients without authentication.
Examples:
- GET
/pacientes - GET
/pacientes.php?page=1 - GET
/pacientes.php?id=10
Pagination is enabled (default: 100 records per page).
Create a new patient.
{
"dni": "12345678",
"nombre": "John",
"apellido": "Doe",
"genero": "Mas",
"fechaNacimiento": "1990-01-01",
"direccion": "Street 123",
"tel": "123456789",
"email": "[email protected]",
"token": "ACCESS_TOKEN"
}Update an existing patient.
{
"pacienteId": "1",
"nombre": "John",
"apellido": "Doe",
"email": "[email protected]",
"token": "ACCESS_TOKEN"
}Option 1 – Body
{
"pacienteId": "1",
"token": "ACCESS_TOKEN"
}Option 2 – Headers
{
"Paciente-Id": "1",
"Token": "ACCESS_TOKEN"
}Errors are returned using a structured JSON response:
{
"status": "error",
"result": {
"error_id": "400",
"error_msg": "Invalid or incomplete data"
}
}This approach was chosen to simulate real-world API responses.
A cron job runs periodically to invalidate expired tokens. This simulates how APIs manage session security in production environments.
The project uses MySQL with the following tables:
usuariosusuarios_tokenpacientes
A SQL dump is included to create the database structure.
Sample data can be added manually for testing purposes.
Database credentials are stored in a simple JSON-based config file:
clases/conexion/config
This approach was used for learning purposes.
In a production environment, environment variables or .env files are recommended.
Passwords are encrypted using MD5, intentionally kept simple for learning purposes.
MD5 is NOT secure and should never be used in production.
A future improvement would be migrating to password_hash() and password_verify().
- PHP (OOP)
- MySQL (mysqli)
- Apache (.htaccess)
- JSON
- Postman
- Cron Jobs
- Basic HTML & CSS (API documentation page)
- assets/
- estilos.css
- clases/
- conexion/
- conexion.php
- config
- actualizar_token.php
- auth.class.php
- eliminar_token.php
- pacientes.class.php
- respuestas.class.php
- token.class.php
- conexion/
- cron/
- actualizar_token.php
- auth.php
- ignore.gitignore
- index.php
- pacientes.php
- .htaccess
- Designing APIs with consistent error handling improves frontend integration.
- Token-based authentication requires careful expiration and retry logic.
- Proper documentation significantly reduces onboarding time.
- Replace
md5withpassword_hash - Migrate from
mysqlitoPDO - Add rate limiting
- Improve CORS handling
- Add API versioning
- Dockerize the project
Pablo Garay
Personal website