Laravel airlock, api in the same domain (not even subdomain)

Anyone?

Well, at the end I added "web" middleware to my api routes (I only use for the ajax request of my app), and when I have a "real api" (used on mobiles e.g), I would consider airlock or whatever

@luddinus bacially you have three relevant configurations here: APP_URL, AIRLOCK_STATEFUL_DOMAINS and SESSION_DOMAIN.

You can read details about this configuration in Mohammed Said's blog post here.

If you have everything on the same domain, then you should actually just put that domain in all three configurations. This is an example where we are running the application via Valet on http://example.test

APP_URL=http://example.test
AIRLOCK_STATEFUL_DOMAINS=example.test
SESSION_DOMAIN=example.test

While you cannot have your app and API on two completely different domains, then you can have them on different subdomains. This is from the blog post mentioned above:

That's why you can't have the API hosted in domain.com while the SPA is on another-domain.com. They both need to be on the same domain so they get the same session ID.

Say for example your app is on https://app.example.com and your SPA on https://example.com then you would use:

APP_URL=https://app.example.com
AIRLOCK_STATEFUL_DOMAINS=example.com,app.example.com
SESSION_DOMAIN=.example.com

Note the dot in the SESSION_DOMAIN which enables any subdomain.

For man people then you have both app and SPA in the same domain, but you are working both locally and on your production server. In this case, remember to set the appropriate values for all the three variables.