Put it behind an Auth Middleware , see https://laravel.com/docs/5.5/authentication , section "Protecting Routes"

Hi, thanks for your answer!

I don't really see how I could protect with a middleware. Let me explain and clarify everything:

My plugin is located at domainName/assets/fileman

It is accessible via my TinyMCE when an admin wants to create a page for instance: domainName/admin/page/create

But when you open the plugin it's a pop-up and you can also access it if you know the URL (which is domainName/assets/fileman).

My /admin routes are protected like so:

Route::group(['prefix' => 'admin', 'middleware' => ['role:admin']], function(){
    //
});

Middlewares don't seem to be the solution here ;/

I believe the auth middleware may be the solution, try to secure your route this way:

Route::get('domainName/assets/fileman', function () {
    // Only authenticated users will have access to this section
})->middleware('auth');

or

Route::get('domainName/assets/fileman', 'Controller@method')->middleware('auth');

Not sure if it will work for your specific plugin but if you try to access the route directly from the browser it will check if you're authenticated first.

Already tried, this is not working :/

domainName/assets/fileman is located in the public folder, it's a physical route, and I think Laravel cannot forbid a user to access a public folder, whatever the route is

@shad21: Maybe using laravels built in Storage:: Facade would help to a certain extent, since then laravel manages the files and you might be able to protect them?