External POST call to /api/... Throws VerifyCsrfToken Exception

External POST call to /api/... Throws VerifyCsrfToken Exception

I’m playing around with the Twilio SMS API and have finally got it working. My question is regarding the steps I had to take to get there.

A little background just FYI: I’m using Laravel 5.2.41, Forge, Digital Ocean, and Postman to test the API calls.

The API routes in question are:

routes.php

Route::group(['prefix' => 'api', 'as' => 'api_', 'namespace' => 'API', 'middleware' => 'api'], function() {
    // SMS Twilio Calls
    Route::post('sms/inbound', ['as' => 'sms_inbound_store_path', 'uses' => 'SMSController@inbound']);
    Route::post('sms/outbound', ['as' => 'sms_outbound_store_path', 'uses' => 'SMSController@outbound']);
});

From what I thought I understood, if my API Controllers are within the API namespace AND they don’t have the ‘web’ middleware defined, then they wouldn’t be subject to the CSRF protection.

At least that is what the docs say:

Excluding URIs From CSRF Protection

Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your webhook handler route from Laravel's CSRF protection. You may exclude URIs by defining their routes outside of the web middleware group that is included in the default routes.php file, or by adding the URIs to the $except property of the VerifyCsrfToken middleware.

I added the two URIs to the $except array file and it worked:

VerifyCsrfToken.php

protected $except = [
    'api/sms/inbound',
    'api/sms/outbound'
];

So, why did I have to do both?