Released on March 17, 2026, Laravel 13 is officially here — and the headline isn’t any single feature. It’s the promise Taylor Otwell made at Laracon EU 2026: zero breaking changes, a 10-minute upgrade path, and substantial new capabilities that change how you write Laravel code going forward.
If you’ve been holding off on upgrades because of past migration pain, Laravel 13 is the release that rewards your patience. Let’s walk through everything new, feature by feature.
The Big Picture: What Laravel 13 Is About
Laravel 13 doesn’t reinvent the framework. Instead, it doubles down on three clear priorities: AI-native development, cleaner, more expressive syntax, and stronger defaults across queues, cache, and security.
The result is a release that feels like Laravel leveling up rather than starting over. Most applications will upgrade with minimal friction, and several features will genuinely change how you design code going forward.
Support timeline at a glance:
- Bug fixes until Q3 2027
- Security fixes until March 17, 2028
- Minimum PHP version: 8.3
If you’re still on PHP 8.2, upgrade your PHP runtime first — then upgrade Laravel. Running composer update on PHP 8.2 while targeting Laravel 13 will cause dependency resolution failures.
Feature 1: Native PHP Attributes — The Biggest Quality-of-Life Win in Years
This is the feature developers will talk about most. Laravel 13 introduces native PHP 8 Attributes as an alternative to class property declarations across more than 15 locations in the framework — models, controllers, jobs, commands, listeners, mailables, notifications, and broadcast events.
Before (Laravel 12):
class User extends Model
{
protected $table = 'users';
protected $primaryKey = 'user_id';
protected $keyType = 'string';
public $incrementing = false;
protected $fillable = ['name', 'email'];
protected $hidden = ['password', 'remember_token'];
}
After (Laravel 13):
#[Table('users', key: 'user_id', keyType: 'string', incrementing: false)]
#[Fillable('name', 'email')]
#[Hidden('password', 'remember_token')]
class User extends Model {}
Clean. Declarative. No more walls of protected arrays at the top of every model.
The same applies to Artisan commands, which can now define their signature and description via attributes:
#[Command(signature: 'emails:send', description: 'Send queued emails')]
class SendEmails extends Command
{
public function handle(): void
{
// ...
}
}
Important: This is entirely non-breaking. Every existing property-based declaration continues to work exactly as before. You adopt attributes on your own timeline — new projects can go all-in immediately, existing projects can migrate gradually.
Feature 2: First-Party Laravel AI SDK (Now Stable)
This is the headline feature for forward-looking projects. On the same day as Laravel 13, the Laravel AI SDK moved from beta to production-stable as a first-party package.
It provides a single, provider-agnostic interface for text generation, tool-calling agents, image creation, audio synthesis, and embedding generation — with built-in retry logic, error normalization, and queue integration.
Text generation:
use App\Ai\Agents\SalesCoach;
$response = SalesCoach::make()->prompt('Analyze this sales transcript...');
return (string) $response;
Image generation:
use Laravel\Ai\Image;
$image = Image::of('A serene mountain landscape at sunrise')->generate();
Audio synthesis:
use Laravel\Ai\Audio;
$audio = Audio::of('Welcome to our platform.')->generate();
$rawContent = (string) $audio;
Embeddings for semantic search:
$documents = DB::table('documents')
->whereVectorSimilarTo('embedding', 'Best restaurants in Mumbai')
->limit(10)
->get();
That last example is particularly powerful — vector similarity search is now a first-class query builder feature, enabling semantic search experiences directly against PostgreSQL with pgvector, without any external service.
The SDK is provider-agnostic, meaning you can swap between OpenAI, Anthropic, or other supported providers by changing configuration, not application code.
Feature 3: Reverb Database Driver — Real-Time Without Redis
Previously, running Laravel Reverb (the framework’s WebSocket server) in production meant standing up Redis. That’s a real infrastructure burden for smaller teams and solo developers.
Laravel 13 ships a native database driver for Reverb. You can now power real-time WebSocket broadcasting using your existing database — no Redis required.
For apps that don’t need the extreme throughput Redis offers, this is a significant simplification. One less infrastructure dependency, one less thing to configure and maintain.
Feature 4: Passkey Authentication
Laravel 13 ships with native passkey authentication support. Passkeys are the modern, phishing-resistant replacement for passwords — based on the WebAuthn standard, they let users authenticate with biometrics or device PINs instead of typed credentials.
This is now built directly into Laravel’s authentication scaffolding. If you’re starting a new project in 2026, there’s a strong case for skipping traditional passwords entirely and shipping passkeys from day one.
Feature 5: JSON:API Resources — First-Party Support
If you’ve ever tried to build a strictly JSON:API-compliant API in Laravel, you know the pain: manually constructing resource objects, relationships, sparse fieldsets, and the correct response headers is tedious boilerplate.
Laravel 13 makes this first-party. The new JsonApiResource class handles all of it automatically:
use Illuminate\Http\Resources\JsonApi\JsonApiResource;
class UserResource extends JsonApiResource
{
public function attributes(): array
{
return [
'name' => $this->name,
'email' => $this->email,
];
}
public function relationships(): array
{
return [
'posts' => PostResource::collection($this->posts),
];
}
}
The resource handles serialization, relationship inclusion, sparse fieldsets, links, and JSON:API-compliant response headers automatically. For teams building APIs consumed by mobile apps or third-party clients, this is a welcome addition.
Feature 6: Enhanced CSRF — PreventRequestForgery
Laravel 13 formalizes and enhances its CSRF protection middleware, renaming it to PreventRequestForgery and adding origin-aware request verification on top of the existing token-based system.
This means Laravel now validates both the CSRF token and the request origin, providing defense in depth against cross-site request forgery attacks. The change is backward-compatible with token-based CSRF but adds an important extra layer of security for modern web applications.
If your app uses custom CSRF handling or middleware, this is one area to check carefully during your upgrade.
Feature 7: Centralized Queue Routing
Previously, specifying which queue and connection a job should use required either setting properties on each individual job class or repeating the configuration at every dispatch site. Neither approach is ideal for large applications where queue topology might change.
Laravel 13 introduces Queue::route(), a way to define queue routing from a single location in a service provider:
Queue::route(ProcessPodcast::class, queue: 'media', connection: 'redis');
Queue::route(SendWelcomeEmail::class, queue: 'emails', connection: 'sqs');
This separates infrastructure concerns from business logic — your job classes stay clean, and changing queue topology is a single-file edit rather than a search-and-replace across your codebase.
Feature 8: Cache::touch() — Extend TTL Without Re-Fetching
A small but genuinely useful addition. Cache::touch() lets you extend a cache entry’s TTL without having to retrieve and re-store the value:
// Extend the cache entry's TTL by another 30 minutes
Cache::touch('user:123:session', now()->addMinutes(30));
Previously, you’d need to get the value, then put it back with a new expiry — two operations instead of one. Useful for sliding-window session management, frequently-accessed but rarely-changed data, and any scenario where you want to keep a cache entry warm without paying the cost of regenerating it.
How to Upgrade
The upgrade path from Laravel 12 to 13 is straightforward for most applications.
Step 1: Upgrade PHP first
php -v
Make sure you’re on PHP 8.3 or higher before touching Composer dependencies.
Step 2: Update your composer.json
"laravel/framework": "^13.0"
Step 3: Run the upgrade
composer update
Step 4: Review three areas carefully
PreventRequestForgeryorigin config (new CSRF middleware name)- Cache serialization rules (check your custom cache store implementations)
- Cache and session naming defaults (may have changed)
Step 5: Run your full test suite on staging before deploying to production.
If you have a large codebase, Laravel Shift automates most of the mechanical changes and opens a pull request with reviewable commits — well worth the cost for complex projects.
Ecosystem Compatibility
The major ecosystem packages are already Laravel 13-ready:
- Livewire ✅
- Inertia.js ✅
- Filament ✅
- Spatie packages ✅
Always verify on each package’s GitHub releases before upgrading in production.
Should You Upgrade Now?
Yes, if your test coverage is solid. The upgrade is genuinely low-risk for most applications, the performance gains from PHP 8.3’s JIT improvements are real, and the new features — especially the AI SDK and PHP Attributes — are worth having access to.
Wait if your coverage is thin. The edge cases around nullable enum casts, typed config, and the new CSRF middleware are where subtle bugs hide. Write tests first, then upgrade.
Laravel 12 receives bug fixes until August 2026 and security fixes until February 2027, so there’s no emergency. But the sooner you’re on 13, the sooner you benefit from everything it brings — and from the quality-of-life improvements that will keep shipping throughout the 13.x cycle.
Final Thoughts
Laravel 13 is exactly what a mature, well-run framework release should look like: meaningful new capabilities, zero architectural chaos, and a smooth upgrade path that respects the time of everyone who has existing applications in production.
The AI SDK going stable is the feature that will have the longest-term impact. For Laravel developers, having a first-party, provider-agnostic interface for AI text, images, audio, embeddings, and vector search — all wired into Laravel’s queue system and service container — is genuinely significant. It removes the last reason to reach for an external AI library.
The rest — PHP Attributes, passkeys, Reverb’s database driver, Queue::route(), JSON:API resources — are thoughtful, well-executed additions that make the day-to-day experience of writing Laravel code cleaner and more expressive.
This is a release worth upgrading for. If you haven’t already, now is the time.