Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
I have been struggling with this problem for two days. I wanna hit my head against the wall.
I have an API built with Lumen, and a web-client for the application built with Laravel. the web-client uses guzzle to send requests to the API (Lumen).
on the local environment, everything is ok. when I uploaded the Laravel and Lumen on Host, the problem arose out of nowhere.
THE PROBLEM:
when the web-client (Laravel) sends a request to Lumen, a "419 Page Expired" page turns back as result. BUT when I use CURL to send a request to Lumen, it turns back a successful response.
Guzzle:
private const BASE_URI = 'http://example.com/api';
public static function sendRequest($method, $uri = '', array $options = [])
{
$client = new Client([
'base_uri' => self::BASE_URI,
'headers' => [
'Authorization' => "Bearer {session('api_token')}",
]
]);
try {
$response = $client->request($method, $uri, $options);
} catch (RequestException $exception) {
$response = $exception->getResponse();
}
$responseContent = $response->getBody()->getContents();
dd($responseContent);
$result = json_decode($responseContent);
return self::check($result);
}
CURL:
protected static function sendPost($phoneNumber, $password)
{
$url = self::BASE_URI . '/login';
$fields = array
(
'phone_number' => $phoneNumber,
'password' => $password
);
$handler = curl_init($url);
curl_setopt($handler, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($handler, CURLOPT_POSTFIELDS, $fields);
curl_setopt($handler, CURLOPT_RETURNTRANSFER, true);
$responseContent = curl_exec($handler);
dd($responseContent);
$result = json_decode($responseContent);
return self::check($result);
}
a portion of the response:
<title>Page Expired</title>
<!-- Fonts -->
<link rel="dns-prefetch" href="//fonts.gstatic.com">
<link href="https://fonts.googleapis.com/css?family=Nunito" rel="stylesheet">
<!-- Styles -->
<style>
html, body {
background-color: #fff;
color: #636b6f;
font-family: 'Nunito', sans-serif;
font-weight: 100;
height: 100vh;
margin: 0;
}
.full-height {
height: 100vh;
}
.flex-center {
align-items: center;
display: flex;
justify-content: center;
}
@kiasaty There are significant differences between two requests, they hit different endpoints and also:
Guzzle is POST with API key
Curl is GET with no API keys
If I were you I would install Postman and make sure it works first as a regular restest to that particular endpoint and then try to turn in into Laravel request.
@AURAWINDSURFING - They hit the same endpoint, but their structure is different. when the guzzle function that I have written is called, the URL is passed. for login, there is no need to pass the API key. when I comment out the API key part in the guzzle function, I still get the same result.
I have tested postman and it works well.
I noticed something when I used postman. when I upload the lumen API on the server, it doesn't accept headers. I used to pass API key like this: "api_token: $api_token" but the server would let such header in. when I changed it to "Authorization: Bearer $api_token", it passed it to Lumen. it's like a whitelist of headers are defined in DirectAdmin. maybe this causes the problem, I don't know.
Postman is great for fiddling with this kind of stuff and getting it to work. It can even generate ugly http request code for you.
Play around with it, you will figure it out!
Please or to participate in this conversation.