Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

syntaxerron's avatar

Authentication on Laravel with Vue.js using Sanctum

I tried building a Laravel 8 application with default integration of Vue (Not separate project using Vue CLI). I use Sanctum for authentication. I followed the setup in the documentation but I got an error 419 (CSRF token mismatch). I also used laravel/ui to setup the authentication.

bootstrap.js

window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
window.axios.defaults.withCredentials = true;
window.axios.defaults.baseURL = "http://localhost:8000/";

Kernel.php

'api' => [
    \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
    'throttle:60,1',
    \Illuminate\Routing\Middleware\SubstituteBindings::class,
]

cors.php

'paths' => [
    'api/*',
    '/login',
    '/logout',
    '/sanctum/csrf-cookie'
],
.
.
.
'supports_credentials' => true,

web.php

Route::get('/{any?}', [AppController::class, "index"]);
Auth::routes();

App.vue

...
methods: {
        login() {
		axios.get("/sanctum/csrf-cookie").then(response => {
			axios.post("/login", {
				email: "[email protected]",
				password: "password"
			})
		})
	}
    },
...

.env

SESSION_DRIVER=file
SESSION_DOMAIN=localhost
SANCTUM_STATEFUL_DOMAINS=localhost,127.0.0.1,localhost:8000,127.0.0.1:8000
0 likes
2 replies
SilenceBringer's avatar

@loose1eaf it's expected behavior

You are doing post request to /login. This route doesn't prefixed with /api/ so all web middlewares are applied. Including VerifyCsrfToken

I can suggest to 2 solutions

  1. add api url for logging, like /api/login. This way VerifyCsrfToken middleware will not be applied
  2. Go to app\Http\Middleware\VerifyCsrfToken and add login to $except array. But this way if you use the same url for auth via spa and from site form (do you use the same backend for admin panel, for example?) it will not be protected by csrf too
1 like
syntaxerron's avatar
syntaxerron
OP
4 years ago
Best Answer
Level 5

Thank you for the response. It's working now. I just changed from SESSION_DOMAIN=localhost to SESSION_DOMAIN=127.0.0.1.. man i feel so dumb haha.. I don't know why and how coz i know they both mean localhost but it works now.

Please or to participate in this conversation.