in VerifiyCsrfToken.php you can specify routes that you want to exclude from csrf.
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'/data/insert',
];
}
That workaround isn't healthy, your supposed to simulate the API in a post request, not cut its CSRF security off, that's not a productive way around this issue. I believe the right way to do it is with postman interceptor (since the token refreshes on each call).