Server-side data with Laravel

This tutorial shows how to connect Handsontable’s dataProvider plugin to a Laravel backend. You will build a product inventory grid that loads data from a REST API with server-side pagination, sorting, and filtering, and that persists row create, update, and delete operations to a Laravel database.

View full example on GitHub

Difficulty: Intermediate
Time: ~30 minutes
Stack: Laravel 11 (PHP 8.2+), Eloquent ORM, Handsontable dataProvider

What You’ll Build

A product inventory data grid that:

Fetches paginated rows from GET /api/products on every page change
Sorts and filters rows on the server — the browser never loads the full dataset
Creates, updates, and deletes rows via POST, PATCH, and DELETE endpoints
Sends CSRF tokens for Blade-rendered pages or uses Sanctum for SPA auth
Shows a loading overlay while data loads and an error toast when a request fails

Before you begin

PHP 8.2+ and Composer installed
A Laravel 11 project created (composer create-project laravel/laravel inventory)
A configured database (SQLite works for local development)
Node.js 22 and Handsontable installed (npm install handsontable)

Scaffold the backend

Run these Artisan commands in your Laravel project root:
Terminal window
```
1
php artisan make:model Product --migration
2
php artisan make:controller ProductController --model=Product
3
php artisan make:seeder ProductSeeder
```
What’s happening:
- make:model Product --migration creates app/Models/Product.php and a timestamped migration file in database/migrations/.
- make:controller ProductController --model=Product creates ProductController.php pre-bound to the Product model.
- make:seeder ProductSeeder creates database/seeders/ProductSeeder.php for sample data.
Define the migration

Replace the generated migration’s up() method with the products schema:

@code php

What’s happening:
- id() creates an auto-increment primary key. This is the value Handsontable uses as rowId.
- string('sku')->unique() is a server-generated field, so the grid marks it readOnly: true.
- decimal('price', 10, 2) stores two decimal places, matching the numeric cell type in the frontend column definition.
- unsignedInteger('stock') enforces a non-negative integer at the database level.
Run the migration:
Terminal window
```
1
php artisan migrate
```
Create the Eloquent model

Open app/Models/Product.php and set $fillable and $casts:

@code php

What’s happening:
- $fillable lists the columns that Product::create() and update() may write to, protecting the id from mass-assignment.
- $casts maps price to float and stock to integer. Without this, Eloquent returns all values as strings and Handsontable’s numeric cell type receives "1299.99" instead of 1299.99.
Seed the database

Open database/seeders/ProductSeeder.php and add at least 50 rows so that pagination spans multiple pages:

@code php

What’s happening:
- Product::create($data) inserts each row through Eloquent so the $fillable guard and timestamps apply.
- The 52 rows create six pages at the default pageSize: 10, making pagination controls visible from the first load.
Run the seeder:
Terminal window
```
1
php artisan db:seed --class=ProductSeeder
```

Build the ProductController

ProductController handles all four HTTP verbs. Each method maps to one Handsontable dataProvider callback:

@code php

What’s happening:

`index()` — paginate, sort, and filter

Handsontable sends query parameters through the buildUrl() frontend helper:

Query parameter	Example value	PHP access
`page`, `pageSize`	`1`, `10`	`$request->input('page')`
`sort[prop]`, `sort[order]`	`'name'`, `'asc'`	`$request->input('sort')`
`filters[0][prop]`, `filters[0][condition]`, `filters[0][value]`	`'price'`, `'gt'`, `'100'`	`$request->input('filters')`

The filter loop maps Handsontable condition names to SQL clauses. Text conditions use LOWER() for case-insensitive matching:

Handsontable condition	SQL equivalent
`contains`	`LIKE '%value%'`
`begins_with`	`LIKE 'value%'`
`gt`	`> value`
`between`	`BETWEEN value AND value2`
`empty`	`IS NULL OR = ''`

Both $prop values (for filters and for sort) are validated against an allowlist of column names before being used in any query, preventing SQL injection through unsanitized user input.

Why skip()/take() instead of paginate()?

Laravel’s paginate(n) manages its own ?page= parameter and returns a LengthAwarePaginator JSON shape. Handsontable already sends page and pageSize directly, so manual skip(($page - 1) * $pageSize)->take($pageSize) returns the { data, total } shape that fetchRows expects without any adapter code.

`store()` — create rows

When the user inserts rows from the context menu, onRowsCreate calls POST /api/products with:

1
{ "position": "above", "referenceRowId": 5, "rowsAmount": 1 }

store() reads rowsAmount and creates that many blank rows. It returns HTTP 201.

`batchUpdate()` — update changed cells

After a cell edit, onRowsUpdate calls PATCH /api/products with:

1
[{ "id": 4, "changes": { "price": 149.99 }, "rowData": { "..." } }]

batchUpdate() finds each product by id and calls update() with only the changes object, so unchanged fields are not overwritten.

`batchDestroy()` — delete rows

onRowsRemove calls DELETE /api/products with a plain array of row IDs:

1
[4, 7, 12]

batchDestroy() deletes them in one whereIn()->delete() query and returns HTTP 204.

Register API routes

Open routes/api.php and add the four product routes:

@code php

What’s happening:
- All four routes share the same /api/products path. Laravel matches them by HTTP method.
- The Sanctum middleware group is shown commented out. Uncomment it when you add authentication to your API.
Verify the routes are registered:
Terminal window
```
1
php artisan route:list --path=api/products
```
Configure CORS

Browsers block cross-origin requests unless the server sends the correct headers.

Open config/cors.php and allow your frontend origin:
```
1
'allowed_origins' => ['http://localhost:5173'], // Vite dev server
```
What’s happening:
- The CORS middleware registers automatically in Laravel 11 via bootstrap/app.php. No extra configuration is needed beyond the allowed_origins list.
- In production replace 'http://localhost:5173' with the exact frontend origin. Using ['*'] is acceptable during local development but exposes your API to any origin.

Wire up Handsontable

With the server running (php artisan serve), configure Handsontable to use the dataProvider plugin. The complete frontend code is in the files below.

1
/* file: app.component.ts */
2
import { Component, ViewChild } from '@angular/core';
3
import { GridSettings, HotTableComponent, HotTableModule } from '@handsontable/angular-wrapper';
4
import type { DataProviderQueryParameters, DataProviderFetchOptions, RowsCreatePayload, RowUpdatePayload } from 'handsontable/plugins/dataProvider';
5
import type { SourceRowData } from 'handsontable/common';
6

7
function buildUrl(base: string, params: DataProviderQueryParameters): string {
8
  const query = new URLSearchParams({
9
    page: String(params.page),
10
    pageSize: String(params.pageSize),
11
  });
12

13
  if (params.sort) {
14
    query.set('sort[prop]', params.sort.prop);
15
    query.set('sort[order]', params.sort.order);
16
  }
17

18
  if (params.filters?.length) {
19
    params.filters.forEach(({ prop, conditions }, i) => {
20
      const cond = conditions[0];
21

22
      query.set(`filters[${i}][prop]`, prop);
23

24
      if (cond?.name) {
25
        query.set(`filters[${i}][condition]`, cond.name);
26
      }
27

28
      if (cond?.args[0] != null) {
29
        query.set(`filters[${i}][value]`, String(cond.args[0]));
30
      }
31

32
      if (cond?.args[1] != null) {
33
        query.set(`filters[${i}][value2]`, String(cond.args[1]));
34
      }
35
    });
36
  }
37

38
  return `${base}?${query}`;
39
}
40

41
function csrfToken(): string {
42
  return document.querySelector('meta[name="csrf-token"]')?.getAttribute('content') ?? '';
43
}
44

45
@Component({
46
  standalone: true,
47
  imports: [HotTableModule],
48
  selector: 'example1-server-side-laravel',
49
  template: `
50
    <div>
51
      <hot-table [settings]="gridSettings"></hot-table>
52
    </div>
53
  `,
54
})
55
export class AppComponent {
56
  @ViewChild(HotTableComponent, { static: false }) readonly hotTable!: HotTableComponent;
57

58
  readonly gridSettings: GridSettings = {
59
    dataProvider: {
60
      rowId: 'id',
61
      fetchRows: (params: DataProviderQueryParameters, options: DataProviderFetchOptions) =>
62
        this.fetchRows(params, options.signal),
63
      onRowsCreate: (payload: RowsCreatePayload) => this.onRowsCreate(payload),
64
      onRowsUpdate: (rows: RowUpdatePayload[]) => this.onRowsUpdate(rows),
65
      onRowsRemove: (rowIds: unknown[]) => this.onRowsRemove(rowIds),
66
    },
67
    pagination: { pageSize: 10 },
68
    columnSorting: true,
69
    filters: true,
70
    dropdownMenu: true,
71
    contextMenu: true,
72
    emptyDataState: true,
73
    notification: true,
74
    rowHeaders: true,
75
    colHeaders: ['Name', 'SKU', 'Category', 'Price', 'Stock'],
76
    columns: [
77
      { data: 'name', type: 'text' },
78
      { data: 'sku', type: 'text', readOnly: true },
79
      {
80
        data: 'category',
81
        type: 'dropdown',
82
        source: ['Electronics', 'Accessories', 'Storage', 'Networking', 'Peripherals'],
83
      },
84
      { data: 'price', type: 'numeric', numericFormat: { pattern: '$0,0.00' } },
85
      { data: 'stock', type: 'numeric' },
86
    ],
87
  };
88

89
  async fetchRows(params: DataProviderQueryParameters, signal: AbortSignal): Promise<{ rows: SourceRowData[]; totalRows: number }> {
90
    const url = buildUrl('/api/products', params);
91
    const res = await fetch(url, { signal });
92

93
    if (!res.ok) {
94
      throw new Error(`HTTP ${res.status}`);
95
    }
96

97
    const json = await res.json();
98

99
    return { rows: json.data, totalRows: json.total };
100
  }
101

102
  async onRowsCreate(payload: RowsCreatePayload): Promise<void> {
103
    await fetch('/api/products', {
104
      method: 'POST',
105
      headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrfToken() },
106
      body: JSON.stringify(payload),
107
    });
108
  }
109

110
  async onRowsUpdate(rows: RowUpdatePayload[]): Promise<void> {
111
    await fetch('/api/products', {
112
      method: 'PATCH',
113
      headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrfToken() },
114
      body: JSON.stringify(rows),
115
    });
116
  }
117

118
  async onRowsRemove(rowIds: unknown[]): Promise<void> {
119
    await fetch('/api/products', {
120
      method: 'DELETE',
121
      headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrfToken() },
122
      body: JSON.stringify(rowIds),
123
    });
124
  }
125
}
126
/* end-file */
127

128
/* file: app.config.ts */
129
import { ApplicationConfig, provideZoneChangeDetection } from '@angular/core';
130
import { registerAllModules } from 'handsontable/registry';
131
import { HOT_GLOBAL_CONFIG, HotGlobalConfig, NON_COMMERCIAL_LICENSE } from '@handsontable/angular-wrapper';
132

133
registerAllModules();
134

135
export const appConfig: ApplicationConfig = {
136
  providers: [
137
    provideZoneChangeDetection({ eventCoalescing: true }),
138
    {
139
      provide: HOT_GLOBAL_CONFIG,
140
      useValue: { license: NON_COMMERCIAL_LICENSE } as HotGlobalConfig,
141
    },
142
  ],
143
};
144
/* end-file */

1
<div>
2
  <example1-server-side-laravel></example1-server-side-laravel>
3
</div>

What’s happening:

`buildUrl` helper

1
function buildUrl(base, { page, pageSize, sort, filters }) {
2
  const params = new URLSearchParams({
3
    page: String(page),
4
    pageSize: String(pageSize),
5
  });
6

7
  if (sort) {
8
    params.set('sort[prop]', sort.prop);
9
    params.set('sort[order]', sort.order);
10
  }
11

12
  if (filters) {
13
    filters.forEach((filter, i) => {
14
      params.set(`filters[${i}][prop]`, filter.prop);
15
      params.set(`filters[${i}][condition]`, filter.condition.name);
16
      const args = filter.condition.args ?? [];
17
      if (args[0] != null) params.set(`filters[${i}][value]`, String(args[0]));
18
      if (args[1] != null) params.set(`filters[${i}][value2]`, String(args[1]));
19
    });
20
  }
21

22
  return `${base}?${params}`;
23
}

buildUrl serializes the queryParameters object that fetchRows receives into a URL query string that Laravel reads with request()->input(). It converts the Handsontable filter condition shape — { prop, condition: { name, args } } — into the flat bracket-notation parameters Laravel parses automatically.

`csrfToken` helper

1
function csrfToken() {
2
  return document.querySelector('meta[name="csrf-token"]')?.content ?? '';
3
}

Laravel requires a CSRF token on POST, PATCH, and DELETE requests. For Blade-rendered pages, inject the token via <meta name="csrf-token" content="{{ csrf_token() }}"> in your layout. For a Sanctum SPA, call GET /sanctum/csrf-cookie once on startup and send the X-XSRF-TOKEN cookie value instead.

`fetchRows`

1
fetchRows: async ({ page, pageSize, sort, filters }, { signal }) => {
2
  const url = buildUrl('/api/products', { page, pageSize, sort, filters });
3
  const res = await fetch(url, { signal });
4

5
  if (!res.ok) throw new Error(`HTTP ${res.status}`);
6

7
  const json = await res.json();
8
  return { rows: json.data, totalRows: json.total };
9
},

fetchRows is called on every page change, sort, and filter. Passing signal to fetch() lets the browser cancel stale in-flight requests when the user sorts or pages quickly. Throwing on a non-ok response lets notification: true display an error toast automatically.

`onRowsCreate`, `onRowsUpdate`, `onRowsRemove`

1
onRowsCreate: async (payload) => {
2
  // payload: { position: 'above'|'below', referenceRowId, rowsAmount }
3
  await fetch('/api/products', {
4
    method: 'POST',
5
    headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrfToken() },
6
    body: JSON.stringify(payload),
7
  });
8
},
9

10
onRowsUpdate: async (rows) => {
11
  // rows: [{ id, changes: { price: 149.99 }, rowData: {...} }, ...]
12
  await fetch('/api/products', {
13
    method: 'PATCH',
14
    headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrfToken() },
15
    body: JSON.stringify(rows),
16
  });
17
},
18

19
onRowsRemove: async (rowIds) => {
20
  // rowIds: [4, 7, 12]
21
  await fetch('/api/products', {
22
    method: 'DELETE',
23
    headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': csrfToken() },
24
    body: JSON.stringify(rowIds),
25
  });
26
},

Cell edits appear in the grid immediately (optimistic update). If the server returns a non-2xx response or the callback throws, Handsontable rolls back the values and fires afterRowsMutationError.

`beforeRowsMutation`

1
let removeConfirmed = false;
2

3
// ...
4

5
beforeRowsMutation(operation, payload) {
6
  if (operation === 'remove' && !removeConfirmed) {
7
    const count = payload.rowsRemove.length;
8
    const notification = hot.getPlugin('notification');
9
    const id = notification.showMessage({
10
      variant: 'warning',
11
      title: 'Delete rows',
12
      message: `Delete ${count} row${count !== 1 ? 's' : ''}? This cannot be undone.`,
13
      duration: 0,
14
      actions: [
15
        {
16
          label: 'Delete',
17
          type: 'primary',
18
          callback: () => {
19
            notification.hide(id);
20
            removeConfirmed = true;
21
            hot.getPlugin('dataProvider').removeRows(payload.rowsRemove).finally(() => {
22
              removeConfirmed = false;
23
            });
24
          },
25
        },
26
        {
27
          label: 'Cancel',
28
          type: 'secondary',
29
          callback: () => notification.hide(id),
30
        },
31
      ],
32
    });
33
    return false;
34
  }
35
},

beforeRowsMutation fires before any create, update, or remove operation. Returning false cancels the operation — onRowsRemove is not called and no rows are deleted on the server.

Because beforeRowsMutation is synchronous and checks for a strict === false return, you cannot use window.confirm() or other async dialogs. Instead, cancel the first attempt by returning false, show a notification with Delete and Cancel actions, and on Delete re-issue the remove via the DataProvider API. The removeConfirmed flag lets the second pass through without re-prompting.

`notification: true` and `emptyDataState: true`

1
notification: true,
2
emptyDataState: true,

notification: true enables the built-in error toast. When fetchRows or a mutation callback throws, Handsontable shows a translated error message. Fetch failures also add a Refetch action that retries the last request.

emptyDataState: true shows a loading overlay while fetchRows is in flight and an empty-state message when the server returns zero rows.

How It Works — Complete Flow

Initial load: fetchRows fires with { page: 1, pageSize: 10, sort: null, filters: null }. Laravel returns { data: [...10 rows...], total: 52 }. The grid renders the first page with a pagination bar.
Sort: The user clicks the Price header. fetchRows fires with sort: { prop: 'price', order: 'asc' }. Laravel applies orderBy('price', 'asc') and returns the first page sorted by price.
Filter: The user opens the Category filter and types “Electronics”. fetchRows fires with the filter condition. Laravel applies WHERE LOWER(category) LIKE '%electronics%' and returns the matching rows.
Edit: The user changes a price cell. The new value appears immediately. onRowsUpdate fires with [{ id: 4, changes: { price: 149.99 } }]. Laravel updates the row. On success, Handsontable silently refetches the current page.
Insert: The user right-clicks and selects Insert row below. onRowsCreate fires with { position: 'below', referenceRowId: 4, rowsAmount: 1 }. Laravel creates a blank row and Handsontable refetches.
Delete: The user selects two rows and chooses Remove rows. beforeRowsMutation shows a confirm dialog. On confirmation, onRowsRemove fires with [4, 7]. Laravel deletes both rows.
Error: The server returns 500. fetchRows throws. Handsontable shows an error toast with a Refetch button.

What you learned

How to map Handsontable’s queryParameters to Laravel request()->input() with the buildUrl() helper.
How to apply Handsontable filter condition names as Eloquent where() clauses.
Why skip()/take() is simpler than paginate() when Handsontable sends page and pageSize directly.
How to validate column names against an allowlist before using them in whereRaw() and orderBy() to prevent SQL injection.
How to send CSRF tokens for Blade-rendered pages and for SPA Sanctum apps.
How notification: true provides error toasts and a Refetch action with no extra code.
How beforeRowsMutation intercepts operations before they reach the server.

Next steps

Server-side data overview — DataProvider plugin reference
Configuration and query parameters — all fetchRows query fields
Server-side CRUD — mutation lifecycle and hooks
Fetching, hooks, and examples — error handling and loading UI
Server-side data with Spring Boot — the same Handsontable frontend wired to a Java backend

Server-side data with Laravel

What You’ll Build

Before you begin

Scaffold the backend

Define the migration

Create the Eloquent model

Seed the database

Build the ProductController

index() — paginate, sort, and filter

store() — create rows

batchUpdate() — update changed cells

batchDestroy() — delete rows

Register API routes

Configure CORS