In this video, we dive into how to use Laravel Sanctum (formerly Airlock) for authenticating your API requests, specifically how to get it working smoothly with Postman – which, out of the box, is a bit trickier than you might expect! Unlike typical token-based authentication, Sanctum is designed to be more cookie-based, making things like getting the CSRF token and maintaining sessions important.
We start by trying a standard login request in Postman and hitting that classic "CSRF token mismatch" error. This leads to explaining why you need to pre-fetch the CSRF cookie from Sanctum's endpoint before you can log in. We show you how to organize all your endpoints in a Postman Collection, and then use a pre-request script to programmatically retrieve that CSRF token and store it in an environment variable.
Once that’s set, we set up headers and demonstrate how to send the right CSRF token with your login and logout requests. We also find the sneaky bit you need to make authenticated requests work: setting the Referer
header correctly, so Laravel knows your requests are stateful. We troubleshoot why your /api/user
endpoint might still show "Unauthenticated" even after logging in and show how to set up Postman to handle this automatically via environment variables.
By the end you'll see how logging in and logging out work in Postman, how Laravel's CSRF and session cookies integrate with your API requests, and how to avoid all the usual gotchas. If you follow along step-by-step, you'll be able to play with your Sanctum-protected endpoints without any headaches. Perfect for testing and developing APIs with confident authentication!