When you return an Eloquent model as a JSON response, every database column is included by default — including sensitive fields like password. The $hidden, $visible, and $appends properties give you model-level control over what gets serialized, complementing the per-query select() approach from the previous lesson.
$hidden — Exclude Sensitive Fields
You've probably seen $hidden in the default User model without thinking much about it.
app/Models/User.php:
class User extends Authenticatable{ protected $hidden = [ 'password', 'remember_token', ]; // ...}Without it, returning a user from an API endpoint exposes the hashed password and token in every response.
With $hidden in place, those fields are stripped from toArray() and toJson() output automatically.
How this differs from select(): select() prevents the column from being...