@jlrdw I'm not doing authentication. I just learnt that just call the ajax in the web.php instead of api.php and have the
if(request()->ajax()) to check if it ajax request. Now a GET controller can serve as both ajax and normal http request and
Auth::check() work now because now it's session instead of request from api.php.
Thank for all the answers though.