Laravel Middleware in Laravel 12 (2026): Explained Simply, the New Way (With Real-World Examples)

Let me guess what happened.

You opened a Laravel 12 project, followed an older tutorial, and it said:
“Open app/Http/Kernel.php…”

You looked around.
Nothing.
No Kernel.php.
No $middlewareGroups.

At that moment, every beginner thinks:
“Did I install Laravel wrong?”

You didn’t. Laravel 12 just changed where middleware is registered. And honestly? Once you understand it, the new way is actually cleaner.

Let’s walk through Laravel middleware in 2026, using Laravel 12, in simple terms, with real-world examples, and zero confusion.

What Is Middleware? (Still the Same Idea)

Even in Laravel 12, the concept of middleware hasn’t changed.

Middleware is a checkpoint that every request must pass through.

Think of it like this

Imagine entering an office building:

1. You walk in (request)
2. Security checks you (middleware)
3. You reach your desk (controller)
4. Security logs you leaving (response)

Middleware sits between the user and your application logic.

What Changed in Laravel 12?

Old Laravel (pre-12)

• Middleware registered in app/Http/Kernel.php
• Middleware groups like web and api lived there

Laravel 12 (current way)

• No Kernel.php
• Middleware is configured inside:

bootstrap/app.php

This is the biggest reason beginners get stuck in 2026.

Where Middleware Lives in Laravel 12

1️⃣ Middleware classes (same as before)

Custom middleware still lives here:

app/Http/Middleware

That part did not change.

2️⃣ Middleware registration (new place)

Open:

bootstrap/app.php

You’ll see something like this (simplified):

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Middleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withMiddleware(function (Middleware $middleware) {

        // Global middleware
        $middleware->append([
            // Example:
            // \App\Http\Middleware\TrustProxies::class,
        ]);

        // Middleware aliases (replaces Kernel.php)
        $middleware->alias([
            'auth' => \App\Http\Middleware\Authenticate::class,
            'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        ]);

    })
    ->create();

This file replaces what Kernel.php used to do.

Understanding Middleware Types (Beginner-Friendly)

1) Global Middleware (Runs on Every Request)

These middleware run for every page, every request.

Real-world example

Security scanners at the entrance of a mall — everyone goes through them.

$middleware->append([
    \App\Http\Middleware\TrimStrings::class,
]);

2) Route Middleware (Most Common)

This is what beginners use most.

Example:

Route::get('/dashboard', function () {
    return view('dashboard');
})->middleware('auth');

Meaning:
“Only logged-in users can access this page.”

Real-world example

You need a membership card to enter a gym.

Built-In Middleware You’ll Use a Lot

auth – Are you logged in?

->middleware('auth')

If not logged in → redirected to login page.

guest – Logged-in users should NOT be here

->middleware('guest')

Used for:

• Login
• Register
• Forgot password pages

Real-world example

You don’t show a “Create Account” form to someone who already has one.

throttle – Slow people down

->middleware('throttle:60,1')

Limits requests to 60 per minute.

Real-world example

A ticket counter that only serves one person at a time to avoid chaos.

Creating Custom Middleware (Laravel 12 Way)

This is where middleware really shines.

Step 1: Create middleware

php artisan make:middleware EnsureUserIsAdmin

Laravel creates:

app/Http/Middleware/EnsureUserIsAdmin.php

Step 2: Write the logic

public function handle($request, Closure $next)
{
    if (!auth()->check() || !auth()->user()->is_admin) {
        abort(403);
    }

    return $next($request);
}

What this does:

• Checks if user is logged in
• Checks if user is admin
• Blocks access if not

Real-world example

Only managers can enter the control room.

Step 3: Register the middleware alias (Laravel 12 style)

In bootstrap/app.php:

$middleware->alias([
    'admin' => \App\Http\Middleware\EnsureUserIsAdmin::class,
]);

This replaces $routeMiddleware from old Laravel.

Step 4: Use it on routes

Route::get('/admin', function () {
    return 'Admin Panel';
})->middleware('admin');

Clean. Simple. Reusable.

Middleware Groups in Laravel 12 (Yes, They Still Exist)

Laravel still uses groups, but they are defined differently.

You don’t usually edit them directly as a beginner — Laravel already sets them up internally.

Conceptually:

• Web routes → cookies, sessions, CSRF
• API routes → stateless, throttled

Real-world analogy

Same company, different rules:

• Office staff use ID cards
• Warehouse staff use badges

You can still apply middleware in groups like:

Route::middleware(['auth', 'admin'])->group(function () {
    Route::get('/settings', fn () => 'Settings');
    Route::get('/users', fn () => 'Users');
});

Middleware vs Controller Logic (Very Common Beginner Mistake)

Beginner approach ❌

if (!auth()->check()) {
    return redirect('/login');
}

Middleware approach ✅

->middleware('auth')

Why middleware is better

• No repeated code
• Easier to maintain
• Cleaner controllers
• Better security

If you repeat the same if statement more than twice, middleware is your friend.

Warning: Middleware Order Still Matters

Some middleware depends on:

• Sessions
• Authentication
• Cookies

If they run too early, things break silently.

Rule of thumb:
If your middleware needs auth()->user(), it must run after session middleware.

Laravel handles this for most cases—but it’s good to know when debugging weird issues.

Pro Tip: When Should You Use Middleware?

Middleware is perfect for:

• Admin checks
• Role-based access
• Subscription checks
• Maintenance mode
• API authentication
• Feature toggles
• Request logging

If it’s about access control, middleware is usually the right tool.

Quick Summary (Beginner Version)

• Middleware = request checkpoint
• It runs before controllers
• Laravel 12 moved registration to bootstrap/app.php
• Kernel.php no longer exists
• Middleware keeps your app clean, secure, and readable

Once middleware clicks, Laravel suddenly feels much easier to manage.

FAQ (Beginner Questions)

1) Why did Laravel remove Kernel.php?

To simplify bootstrapping and centralize configuration. It reduces magic and makes the app lifecycle clearer.

2) Can I still use multiple middleware on one route?

Yes:

->middleware(['auth', 'admin'])

3) Should beginners use middleware early?

Absolutely. Middleware prevents bad habits like duplicating checks inside controllers.