Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

cjke7777's avatar

Breeze API starter kit CSRF question

Hi,

Yes, another CSRF question! I promise, its a little different.

Primary question: Is CSRF protection actually needed for auth routes such as login, register, logout when using Laravel as an API-only backend?

Background: I would normally say "no" its not needed, like other api routes, but after installing the Breeze API starter I feel like I'm missing something.

When installing the Breeze Starter Kit with the "API stack" (the non-Alpine, non-Inertia stack), it adds the auth routes to web.php, not api.php. This in turn means that when interacting with this backend (for example with Postman or a mobile native client) I need to first hit the sanctum csrf route (/sanctum/csrf-cookie), then make a request to login/register/etc.

This can be seen in the Breeze Next starter (https://github.com/laravel/breeze-next)

I understand why I need to call that route first if it were a SPA, but I'm genuinely curious to why its needed for the API-only auth endpoints. I want to make sure I'm understanding the need correctly.

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

CSRF (Cross-Site Request Forgery) protection is a security measure that is typically used in web applications to ensure that the requests sent to the server are coming from the authenticated user and not from a malicious site. However, when it comes to API endpoints, especially those that are meant to be consumed by clients other than browsers (like mobile apps or desktop applications), CSRF protection is not usually necessary.

The reason for this is that CSRF attacks primarily exploit the trust that a web application has in the user's browser. APIs that are used by non-browser clients typically use tokens (like API keys or JWTs) for authentication, which are included in the header of the request. Since these tokens are not stored in the browser, they are not susceptible to being stolen and used in CSRF attacks.

In the case of Laravel Breeze with the API stack, the inclusion of CSRF protection for the auth routes is a bit of a hybrid approach. Laravel Sanctum, which is often used with Breeze for SPA authentication, uses CSRF protection for stateful authentication (like session-based authentication used in SPAs). When you're using Sanctum for API tokens (stateless authentication), CSRF protection is not needed.

For an API-only backend that is not serving a SPA and is using token-based authentication, you do not need CSRF protection for your auth routes. You can safely remove the CSRF middleware from these routes if you are not using cookie-based authentication.

Here's how you might adjust your web.php or api.php routes if you decide to remove CSRF protection:

// In routes/api.php

use Illuminate\Support\Facades\Route;

// Assuming you have the necessary controllers set up
Route::post('/login', 'AuthController@login');
Route::post('/register', 'AuthController@register');
Route::post('/logout', 'AuthController@logout');

Make sure that your API is protected using an appropriate token-based authentication method, such as Sanctum's API token authentication, Passport, or JWT.

If you are using Sanctum and want to disable CSRF protection for your API routes, you can do so by ensuring that your API routes are in the api.php file and that they are using the auth:sanctum middleware for authentication, which does not require CSRF protection.

Remember to always ensure that your API endpoints are secure and that you understand the authentication flow of your application. If you are using Sanctum for stateful authentication in a SPA, then you should keep the CSRF protection in place.

Please or to participate in this conversation.