Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

thezap's avatar

Sanctum suddenly starts to return Token Mismatch and works only after clearing cookies

Hello,

I have a SPA working with React, Sanctum and Laravel 8. Everything works fine but there's a weird problem happening every once in a while.

The problem is that Laravel/Sanctum starts to respond with 419 Unknown Status (Token Mismatch) errors. This happens when logged in and even logging out. Even in incognito mode.

I have followed many possible fixes to this issue but I haven't found a solution yet. I've found out that when clearing cookies on my browser the problem disappears.

My .env file contains the sanctum setup:

SESSION_DOMAIN=webapp.test
SANCTUM_STATEFUL_DOMAINS=webapp.test

The session driver and lifetime are the default:

SESSION_DRIVER=file
SESSION_LIFETIME=120

My config/cors.php file:

<?php
return [

    /*
    |--------------------------------------------------------------------------
    | Cross-Origin Resource Sharing (CORS) Configuration
    |--------------------------------------------------------------------------
    |
    | Here you may configure your settings for cross-origin resource sharing
    | or "CORS". This determines what cross-origin operations may execute
    | in web browsers. You are free to adjust these settings as needed.
    |
    | To learn more: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
    |
    */

    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['*'],

    'allowed_origins' => ['*'],

    'allowed_origins_patterns' => [],

    'allowed_headers' => ['*'],

    'exposed_headers' => false,

    'max_age' => true,

    'supports_credentials' => true,

];

For the requests I use an instance of axios:

import axios from "axios";

export const api = axios.create({
  baseURL: `${baseUrl}/api`,
  headers: {
    "Content-Type": "application/json",
  },
});

An example call would be:

import { api } from "api";
...
api.post(`/cart/add`,data).then(()=>{}).catch(err=>{console.error(err});

As I said before, the webapp works perfectly but suddenly after a few days it blocks all requests and sends 419 token mismatch error (even when using private mode) until the browser cookies are cleared or app key is reset.

Is there anything wrong in my setup or do you think is just a local behavior?

Any advice would help.

0 likes
0 replies

Please or to participate in this conversation.