Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
I'm having an issue only when a user is not logged in. If they click on a button that performs an POST ajax request to my api, and then clicks another button on that same page that is a POST ajax request to a web route there is a token mismatch exception. This is not the case for when that user is logged in and they do this same thing. Not sure why this is happening? I examined the tokens being passed in the headers and they match...
Why do you think this could be throwing an exception?
I've narrowed it down to the middleware of the API
If I change the middleware of the route form this
'middleware' => 'auth:api',
to this...
'middleware' => 'api',
it works for guests. Not sure why the authentication middleware would effect the CSRF token. Any ideas here?
Please or to participate in this conversation.