Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Jdolan182's avatar

419 token mismatch error after upgrading to version 11 from 10

I have just upgraded my Laravel project from 10 to 11 and now my api calls won't get past the xsrf token checks

axios.defaults.withCredentials = true
axios.defaults.withXSRFToken = true

useAxios.get('sanctum/csrf-cookie').then(async response => {

	const res = await useAxios.post('/api/auth/login', params, form)

    if(res.status != 200 && res.status == 400)
    {
      form.value.login.error = true
      form.value.login.errorMessage = res.data.message
    }
    else if(res.status == 401) {
      showErrorBanner("Unauthorized", "You don't have access to this");
    }
    if (res) {
      userStore.setUser(res.data)
      router.push({ name: "Dashboard" })
    }
})

This is my the code on my frontend and this hasn't changed from before. I can still see access-control-allow-credentials, the session cookie and token in the headers of the requests.

I've added the middleware to bootstrap/app.php now I just keep getting token mismatch. Is there anything I need to change that I'm missing?

	->withMiddleware(function (Middleware $middleware) {
    //
    $middleware->statefulApi();

    $middleware->append([
        \App\Http\Middleware\TrustProxies::class,
        \Illuminate\Http\Middleware\HandleCors::class,
        \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \App\Http\Middleware\CorsMiddleware::class,
    ]);

    $middleware->web(append: [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ]);

    $middleware->api(append: [
        \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        \Illuminate\Routing\Middleware\ThrottleRequests::class.':api'
    ]);
    
    $middleware->alias([
        'aliases' => [
            'auth' => \App\Http\Middleware\Authenticate::class,
            'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
            'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class,
            'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
            'can' => \Illuminate\Auth\Middleware\Authorize::class,
            'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
            'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
            'signed' => \App\Http\Middleware\ValidateSignature::class,
            'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
            'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
            'consumer-login' => \App\Http\Middleware\CanFrontendLogin::class,
            'admin-login' => \App\Http\Middleware\CanAdminLogin::class
        ],
    ]);
})
0 likes
2 replies
Jdolan182's avatar

I found out the issue was adding the big block of middleware to the bootstrap/app.php file. I think a lot of them are just added by default now. I did have to added my own middleware to the specific routes but it's all working again

Please or to participate in this conversation.