Exceptions in PHP contain the getMessage method, is it safe to expose this message in a public API?. Is there any specification that says not to include sensitive information like passwords for example in the message returned by that method?
I'm using Laravel, but I'd also like to know what's the case on pure PHP.
As a general good practice, errors should be logged not displayed. If you are building an API you should simply return some meaningful error messages. Something like
status => 210,
text => You sent a malformed request for x,
result => fail
status => 403,
text => You do not have permission to access this api,
result => fail
You would have full documentation that includes all status codes with their meanings.