Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I started using Spark v4.0.5 (Laravel v5.4 + VueJS v2) and in previous versions have had no problem configuring access to API-specific routes using the given middleware. With this version, however, I have been seeing that if I use the auth:api the API responds with a 401 Unauthorized status.
I can use the api middleware, but if I do that, the API is fully accessible to the outside world and simple GET requests show everything.
Something seems to be wrong with that middleware and/or the token which theoretically automatically gets added to every internal request.
How would one test and debug this issue?
Pertinent code:
app/Providers/SparkServiceProvider.php
...
protected $usesApi = false;
...
I can change the above to true, but it doesn't have any effect whatsoever on this use case/issue.
routes/api.php
Route::group([
'namespace' => 'App\Http\Controllers\Api',
// 'middleware' => 'auth:api', // this is the problematic middleware
], function () {
Route::get('/needs', [
'as' => 'needs.index',
'uses' => 'NeedsController@index',
]);
});
app/Providers/RouteServiceProvider.php
...
protected function mapApiRoutes(Router $router)
{
$router->group([
'prefix' => 'api',
'middleware' => 'api',
], function ($router) {
require base_path('routes/api.php');
});
}
...
Thoughts are appreciated.
The answer actually had nothing to do with middleware at all.
The Spark v4.0 documentation was incorrect here: https://spark.laravel.com/docs/4.0/api
this.$http.get('/api/users')
.then(response => {
this.users = response.data;
});
Should have been ...
axios.get('/api/users')
.then(response => {
this.users = response.data;
});
I've submitted a PR to have that doc corrected.
Please or to participate in this conversation.