Level 31
What's in VehiclesRequest class? Form request classes have authorize() method, do you have anything there?
1 like
Jul 25, 2025
8
Level 1
403 Unauthorized on PUT Request sanctum
I am currently creating a small mobile app, for the backend i decided to make a stateless laravel API, for authentication i use the Tokenbased middleware auth:sanctum, which works perfectly fine for GET and POST request, for testing the API i use Postman and i use MAMP as my local database. But i ran into the problem that PUT and PATCH requests don't work. I will just get a 403 Forbidden
"message": "This action is unauthorized.",
"exception": "Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException",
"file": "C:\\MAMP\\htdocs\\laravel\\pickerl-reminder\\vendor\\laravel\\framework\\src\\Illuminate\\Foundation\\Exceptions\\Handler.php",
"line": 673,
"trace": [
When i change the Route to POST it works. And yes i always match the request type in Postman and the api.php for the Routes, so i do not send PUT in postman for a POST Route. I also already checked and Postman is sending the token with the request
Route::middleware('auth:sanctum')->group(function () {
Route::get("/vehicle/{vehicles}", [VehiclesController::class, "show"])->name("vehicles.show");
Route::put("/vehicle/{vehicles}", [VehiclesController::class, "update"])->name("vehicles.update");
});
Like i said the GET route works as wanted,
public function update(VehiclesRequest $request, Vehicles $vehicles)
{
\Log::debug($vehicles);
$this->authorize('update', $vehicles);
$vehicles->update($request->validated());
return new VehiclesResource($vehicles);
}
This is the update function, i don't even see the Log in laravel.log, so this function is not even called when it's a PUT route.
I hope it is clear what i mean and what the problem is. Thanks already to anyone trying to help
Level 31
Also, I don't know how your mobile app sends requests, but HTML forms can send only GET and POST requests by design. To mimic to PUT or PATCH methods you should have a hidden input inside a form:
<input type="hidden" name="_method" value="put" />
// Or, if using blade templates:
@method('put')
Laravel will recognize request from this form as PUT.
Maybe this is somehow connected with your problem.
1 like
Level 1
@Glukinho The frontend is not even build yet, like i said i am testing the API using Postman. In there you can select to send PUT and PATCH Requests. I also tested it with sending _method directly in the body
{ "registration_date": "2024-01-01", "brand": "Skoda", "model": "Fabia", "vehicle_type_id": 1, "_method": "put" }
Thats the request i send, it won't work with and without _method in there.
Also i know the problem is not in the VehicleRequest method since when i use the same method and use POST everything works. Its just the PUT and PATCH Routes that give me troubles. I know it doesn't follow best practice for REST-APIs but should i just stick to POST and not use PUT and PATCH? Thanks for helping me.
1 like
Level 50
@JohannesKran You should only use the _method parameter when you're doing method spoofing. It's used when submitting an HTML form from a browser, since forms only support the GET and POST methods. So if this will be a normal form submission on the page, you should use POST with the _method set to PUT.
The error that you're getting is an authorization exception, not a route resolution error. You left out the trace from the error message, which could've been helpful.
What does your VehiclesRequest class look like? Does it have an authorize() method?
Are you sure you're setting the Authorization header correctly in the PUT requests?
1 like
Level 14
are you sure it's not the $this->authorize('update', $vehicles) part that is failing? what is the full url of your request, are you sure you are pointed to the correct controller@method?
1 like
Level 10
It might be related with the variable name. Use $vehicle instead of $vehicles. Or pass an array to authorize method like:
$this->authorize('update', ['vehicle' => $vehicles]);
1 like
Level 63
How do you send the request to the back ? Is it via axios ?
I had a similar problem with a PUT request with files in the payload.
UPDATED Sorry I didn't notice that you have only the API part and that you have no frontend for the moment.
If you send the request via Postman, it should work.
Can you share the configuration of your Postman PUT request ? It would be easier to help you.
Please or to participate in this conversation.