is the API accessed directly by the user? i.e i can go: http://api/users/1/albums?

if so then you need some sort of logging mechanism on the api. so I send username/password on each request which your API checks (or could be a basic Auth, or a hash-type string that the api gives after you first login to it)..

@shez1983 I use JWT. The authentication is not the problem.

I mean, if a user can go to users/1/albums (because it is authenticated), he can go to users/2/albums, but I have to protect that.

One thing is to set the endpoint to api/users/authenticated/albums, but that's not the main question.

if the user is authenticated, then why dont you check if he goes to users/2/albums that the id 2 is his id?

surely when someone auths into your site/api, you store their ID which is used to get the albums ie users/2/albums..

personally if would just do users/albums as you already should know their id!

@shez1983 That's what I'm doing. (users/authenticated/albums instead of users/albums), but the question is:

What would yo dou, a middleware or a formrequest to protect that api endpoints?

I would use a middleware that is the better place where to do such kind of things. FormRequest would be used for form validation instead.