Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I am using a 3rd party webhook to go to one of my api routes. I have it set up to take in a post request when someone sends a text to that endpoint. Whenever i send a text to that endpoint it 302's to my login page even though i set the middleware to ignore the csrf tokens.
My mamp pro has the proper settings so its not a rewrite issue. The route is also showing up properly in my routes:list
If you are posting to a route in the api group, you need to instruct laravel you expect json, otherwise it will redirect to your home route / login page. Are you setting your Accept : application/json headers before making a request to your API webhook?
@Tippin where would I add that to test?
@sk8rboi7566 Whatever is sending the request needs to add that header when POST-ing to your server.
However, a 302 error has nothing to do with CSRF. It seems the URL being POST-ed to requires authentication, and unless you tell Laravel you want a JSON response, it’s going to instead try redirecting the requester to the login page if they’re not authenticated.
@sk8rboi7566 Well, whichever client/device is making the post to your API, you need to be sure those headers are sent. If you test via Postman, then add the header key => value as 'accept' => 'application/json'
You could also cheat and apply a custom middleware on your API that forces that header (to test)
public function handle(Request $request, Closure $next)
{
if (! $request->headers->has('Accept')) {
$request->headers->set('Accept', 'application/json');
}
return $next($request);
}
@martinbean the post request is sending it through a 3rd party api that generally requires authorization. But when testing it on beeceptor it already sends data in json format.
@Tippin this endpoint is only going to be getting a text message that is converted into a json format with other params that i would need.
@sk8rboi7566 That is not the point we are making. Json format or not, if you POST to a laravel API endpoint and are NOT sending the headers we have mentioned above, you WILL get a redirect response. Did you even attempt to make a middleware as I showed above, so you can force that route you are posting to, to accept json in the headers, so laravel knows how to transform that response? If you do not have control over this 3rd party posting to your API endpoint, and they do not set those accept json headers, then use my middleware example.
@Tippin i will set up the middleware tomorrow and mark your answer as correct if it works. thanks for the advice.
look at your routes with artisan route:list, and check the middleware listed for this route
If the endpoint is in the api routes it should never redirect to login because the api routes are stateless irrespective of what headers are sent
test it's with Postman or Insomnia, you should know how it behaves without using the third party
@Snapey ahh so the middleware/Authenticate checks if the request doesnt expect json then it redirects to the login page.
protected function redirectTo($request)
{
if (! $request->expectsJson()) {
return route('login');
}
}
@sk8rboi7566 you shouldn't have auth middleware on an api route?
@Snapey i cleared my route cache. instead now its is giving me a 405 error instead of 302
so the text message that is posting to the api endpoint is not a json header it is application/x-www-form-urlencoded; charset=utf-8
Please or to participate in this conversation.