Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Magelfik's avatar

401 on any new api routes

Hey guys, I suddenly started having this problem and I'm not sure what I've done to cause it. Basically, any route on any of my Spark app are returning a 401 route. I can log in in my app just fine, but as soon as I call something with axios, it returns a 401 and logs me out. Something strange I've noticed is, I can edit the settings, go the /home endpoint, but anything I add in the api.php logs me out.

I've tried many things but nothing has worked so far. I've tried :

  • artisan cache:clear
  • composer dumpautoload
  • deleting the vendor folder and composer updating it
  • restarting Valet (I am on Mac OS X 10.13.6)
  • reinstalling Valet
  • creating a new app with spark new (at which point I've realized that new instances are also impacted).

This problems happens with the file or redis session driver.

In my new instance, the api.php looks like this :

Route::group([
    'middleware' => 'auth:api'
], function () {
    Route::get("/no401pls", function (){
        return "OK";
    });
});

Calling axios.get("/api/no401pls").then(response => console.log(response));from the chrome console immediately sends me a 401 response.

I'm not sure what could be causing it. Could you guys help me please ? What have I done ? :(

Thank you so much in advance.

0 likes
6 replies
Krisell's avatar

If you look in RouteServiceProvider.php, you'll see that all routes defined in the api.php-file will use the apimiddleware-group and not web.

This will skip session-handling so you are not logged in when hitting those routes. If you only use the api.php for "internal api-calls", you can simply update this to ->middleware('web').

You find the definitions of the middleware-groups in Http/Kernel.php.

I'm guessing the purpose is to speed up api-routes, and also enable for token-based authentication instead of session-based.

Edit: And if you indent to use Laravel Passport, make sure you provide the access token in you api-calls.

1 like
Magelfik's avatar

Hey @Krisell, thank you for your quick answer.

I'm not sure I fully understand. My api.php routes will be used for both external and internal consumption. I get that the API routes have a different authentication mecanism. What I don't get is this :

In addition, Spark ships with a custom Laravel authentication guard to authenticate requests that are made using these tokens, allowing you to easily share the same back-end API for your main web application and your API SDKs you provide to your users and third parties.

and

Spark makes it entirely painless to consume your API in this way. Simply make requests to your API routes using your JavaScript framework as normal. You do not need to pass any token or credentials. All of the authentication will be handled automatically by Spark, which generates "transient", short-lived API tokens behind the scenes automatically when users load your application's pages. These API tokens are automatically refreshed in the background by Spark.

That's what I'm trying to achieve : the user accesses my web app which is an SPA (I am using Vue). Every resource shown to the user comes from the API. Since Spark already automatically gives the user a token, isnt this key sufficient to be authenticated ?

Magelfik's avatar

You are my hero. I've spent so many hours trying to understand what was going on ! Thank you !

1 like
martefabian's avatar

Thank you so much @ohffs !! I was using Spark 6 for a new project and suddenly I was getting a 401 as response from all my API routes from the frontend and couldn't figure out why (the API seemed to be working fine externally using tokens though).

This seems to be a breaking change on a minor version of Laravel for some applications. I wonder why did they decided to make it this way.

Please or to participate in this conversation.