How to update API resource Laravel?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

How to Update API Resources in Laravel: Mastering Eloquent Updates

Building robust APIs with Laravel often involves handling resource updates, and while using Route::resource sets up the scaffolding perfectly, implementing the update logic correctly—especially when dealing with JSON payloads and API Resources—can be tricky. Many developers run into issues when trying to mix standard Eloquent methods with request input in an API context.

This post will dive deep into why your attempt might not be working and provide the most robust, developer-approved method for updating resources in a Laravel API.

The Pitfall of Direct Updates in API Controllers

You are attempting to use the Eloquent update() method directly within your controller:

public function update(Request $request, Sample $sample)
{
    $sample = Sample::where('id', $request->id)->update($request->all());   
}

While this looks straightforward, API updates often fail for a few reasons in a production environment:

  1. Mass Assignment Security: Relying solely on $request->all() can expose potential mass assignment vulnerabilities if you are not strictly validating the incoming data.
  2. Resource Retrieval: When using Route Model Binding (as implied by $sample being injected), Laravel has already fetched the model. Overwriting it directly with a separate where()->update() call can lead to inconsistencies, especially if you intend to use API Resources for shaping the final output.
  3. Request Handling: For API development, the best practice is to separate validation from business logic. Mixing these steps directly in the controller makes debugging difficult.

The Correct Approach: Validation and Eloquent Transactions

The most secure and maintainable way to handle updates in Laravel APIs is by utilizing Form Requests for validation and ensuring you are working with the correct scope of data retrieval. This aligns perfectly with modern Laravel architecture principles, which emphasize clean separation of concerns. As noted on the official documentation from laravelcompany.com, structuring your application around these patterns leads to more scalable code.

Here is the recommended way to handle an update request:

Step 1: Create a Form Request (Best Practice)

Create a dedicated Form Request class to handle all validation rules for your update operation. This keeps your controller clean.

php artisan make:request UpdateSampleRequest

In app/Http/Requests/UpdateSampleRequest.php:

public function authorize()
{
    return true; // Or implement proper authorization checks
}

public function rules()
{
    return [
        'name' => 'required|string|max:255',
        'email' => 'nullable|email',
        // Add other relevant fields here
    ];
}

Step 2: Implement the Controller Logic

In your controller, inject the validated request and use Eloquent’s findOrFail method to ensure you are updating an existing record safely.

use App\Models\Sample;
use Illuminate\Http\Request;

class SampleController extends Controller
{
    public function update(Request $request, Sample $sample)
    {
        // 1. Validate the incoming data (handled automatically by the request object)
        $validatedData = $request->validate($request->rules());

        // 2. Update the model
        $sample->update($validatedData);

        // 3. Return the updated resource using an API Resource
        return new SampleResource($sample); // Assuming you have a SampleResource
    }
}

Step 3: Leverage API Resources for Output

Once the database record is successfully updated, you should always use an API Resource to format the response. This ensures that your API output remains consistent, regardless of whether the data was created or updated. If you are using resources (as mentioned in your initial context), ensure the resource handles the mapping correctly based on the updated model instance.

Conclusion

The failure you experienced likely stemmed from mixing raw database operations with input handling without proper validation and structure. By adopting the pattern of Form Requests for validation and using Eloquent methods like update() or save() directly on a retrieved, validated model instance, you ensure data integrity and security. Always prioritize separation of concerns when building APIs; this approach will serve you well as you scale your application, much like following best practices outlined by laravelcompany.com.