#Unable to authenticate with Laravel 11 Breeze:Api

Hey there, guys!
I'm trying to protect a route with the auth:sanctum middleware.
routes/api.php:

<?php
blablabla
Route::get('/user/{userId}', GetUserController::class)->whereUuid('userId')->middleware('auth:sanctum');

But every time, I try to authenticate, it simply doesn't work, I've tried on ApiDog (Postman like app), curl on terminal, and so on. None of then I've had any success.

My path is:
1.

curl --location --request GET 'http://localhost:8080/sanctum/csrf-cookie'

2. Store the XSRF-TOKEN and laravel_session cookies.

curl --location --request POST 'http://localhost:8080/login' \
--header 'Accept: application/json' \
--header 'X-XSRF-TOKEN: qHuBQ/xy4g9yPeAglYHJN85lqKUA3l52tQo5mjWjHh+Vih8LYtpPca0n6UAViGX1ya+nKrFXb0zd10pj86BHL+BSpnG1hMHvq0WjHht4+bLt8YIQ1NEjBD8WZQGiEPnY' \
--header 'Cookie: XSRF-TOKEN=eyJpdiI6IkVqQnlZdW9DWEp1VXV4bHJncnl6M0E9PSIsInZhbHVlIjoicUh1QlEveHk0Zzl5UGVBZ2xZSEpOODVscUtVQTNsNTJ0UW81bWpXakhoK1ZpaDhMWXRwUGNhMG42VUFWaUdYMXlhK25LckZYYjB6ZDEwcGo4NkJITCtCU3BuRzFoTUh2cTBXakhodDQrYkx0OFlJUTFORWpCRDhXWlFHaUVQblkiLCJtYWMiOiIxNTQ1NTJjYmQ1NzBmMGQ4NWZlZGFkMjJhN2E5Njc3MmNlOGQwNDQ4OGQ2ZjA3OWI5N2VkMTc3OWMyNDc0MzEyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IndyNlFnK0xKcno3cTFwbGFLSTlQcXc9PSIsInZhbHVlIjoiR3Q3TjN4VzVwK29KU253dGUzL1VqNVJrYjVkeFNDR3loTmZuWDVoOCtxT3Z2enA1RkpEK1YxU25CQitnZi9SUFE0TmdoL000WHAzVkp2eXlmd3NsQzNIQVptSUhMK1JHaXVaL05uanRTTm5pR2d0NS92Z1NKVHRJK3BEblRBcjkiLCJtYWMiOiJmZDE3Mjk0NTViNGY0ZTNhNzkxOTQwNjdjMjljN2I1YjhmZmI2ODQ3ZTE1OTE5NDdmZGJlMDM4ODcxM2U1NTNiIiwidGFnIjoiIn0%3D' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "admin@email",
    "password": "123456"
}'

4. But I receive on the response the attachment.
   Can anyone help, please?

Also I've tried with the decoded token, but same error:

curl --location --request POST 'http://localhost:8080/login' \
--header 'Accept: application/json' \
--header 'X-XSRF-TOKEN: waYijdKYtcWrvq8Xd+hWHNlo9fKcIkhf5BNwS/FW+YaVFWPf9maY3/ioOjAWKc6XYwHTKngOdbxfrl6tEqWfL1aln739Sh7uDAW03iN6cf6tEGtQeXiLNzK3DoRea4y1' \
--header 'Cookie: XSRF-TOKEN=eyJpdiI6IlQ1c3EvSm5sR05vb3owVExOMlZsZHc9PSIsInZhbHVlIjoid2FZaWpkS1l0Y1dydnE4WGQraFdITmxvOWZLY0lraGY1Qk53Uy9GVytZYVZGV1BmOW1hWTMvaW9PakFXS2M2WFl3SFRLbmdPZGJ4ZnJsNnRFcVdmTDFhbG43MzlTaDd1REFXMDNpTjZjZjZ0RUd0UWVYaUxOekszRG9SZWE0eTEiLCJtYWMiOiJmNTVkMGRmYzIwMTg2ZWY0YWM4ZTEzZGE1MTUzM2E5YjYwMjVlMmIwNjUxMDYxMDc3YWE3NDFjNWU4YjExNzE1IiwidGFnIjoiIn0=;laravel_session=eyJpdiI6IlpVWFhCa3hzaFZWbzh5Y24xdWpYYkE9PSIsInZhbHVlIjoiRUJtOHFwQ203ajdVaWFDdUNIUEhKSkg2K1ZGWmNJZkRxTkpWNUhJM21EMkVNaGsyZlU1UlAwQjZiVXVjc0tqczYzSEhLWWVKdUhReUpWbUtDZlZSRS95QWpyMW1kNjJQaUtWNW9leTU5cS9tV2Z2b1k4a1I1SVBYTnRrZEZjQXciLCJtYWMiOiI2NWMzMjZjODJkNWUxZDkzZDFhM2JiYjc4MDNkYzUwOTdmZjY4MDJkNDQwZDBlODRkMDAzYTQwNWMyZGZjNDRiIiwidGFnIjoiIn0=' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "admin@email",
    "password": "123456"
}'

I've, found my error: I was setted the wrong XSRF token, correcting the req:

curl --location --request POST 'http://localhost:8080/login' \
--header 'Accept: application/json' \
--header 'X-XSRF-TOKEN: eyJpdiI6IlQ1c3EvSm5sR05vb3owVExOMlZsZHc9PSIsInZhbHVlIjoid2FZaWpkS1l0Y1dydnE4WGQraFdITmxvOWZLY0lraGY1Qk53Uy9GVytZYVZGV1BmOW1hWTMvaW9PakFXS2M2WFl3SFRLbmdPZGJ4ZnJsNnRFcVdmTDFhbG43MzlTaDd1REFXMDNpTjZjZjZ0RUd0UWVYaUxOekszRG9SZWE0eTEiLCJtYWMiOiJmNTVkMGRmYzIwMTg2ZWY0YWM4ZTEzZGE1MTUzM2E5YjYwMjVlMmIwNjUxMDYxMDc3YWE3NDFjNWU4YjExNzE1IiwidGFnIjoiIn0=' \
--header 'Cookie: XSRF-TOKEN=eyJpdiI6IlQ1c3EvSm5sR05vb3owVExOMlZsZHc9PSIsInZhbHVlIjoid2FZaWpkS1l0Y1dydnE4WGQraFdITmxvOWZLY0lraGY1Qk53Uy9GVytZYVZGV1BmOW1hWTMvaW9PakFXS2M2WFl3SFRLbmdPZGJ4ZnJsNnRFcVdmTDFhbG43MzlTaDd1REFXMDNpTjZjZjZ0RUd0UWVYaUxOekszRG9SZWE0eTEiLCJtYWMiOiJmNTVkMGRmYzIwMTg2ZWY0YWM4ZTEzZGE1MTUzM2E5YjYwMjVlMmIwNjUxMDYxMDc3YWE3NDFjNWU4YjExNzE1IiwidGFnIjoiIn0=;laravel_session=eyJpdiI6IlpVWFhCa3hzaFZWbzh5Y24xdWpYYkE9PSIsInZhbHVlIjoiRUJtOHFwQ203ajdVaWFDdUNIUEhKSkg2K1ZGWmNJZkRxTkpWNUhJM21EMkVNaGsyZlU1UlAwQjZiVXVjc0tqczYzSEhLWWVKdUhReUpWbUtDZlZSRS95QWpyMW1kNjJQaUtWNW9leTU5cS9tV2Z2b1k4a1I1SVBYTnRrZEZjQXciLCJtYWMiOiI2NWMzMjZjODJkNWUxZDkzZDFhM2JiYjc4MDNkYzUwOTdmZjY4MDJkNDQwZDBlODRkMDAzYTQwNWMyZGZjNDRiIiwidGFnIjoiIn0=' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "admin@email",
    "password": "123456"
}'

But now even with the correct token, I get 401 on my protected route:

curl --location --request GET 'http://localhost:8080/api/user/9f580bcf-8721-49f0-987c-060afe4f372d' \
--header 'X-XSRF-TOKEN: eyJpdiI6IlQ1c3EvSm5sR05vb3owVExOMlZsZHc9PSIsInZhbHVlIjoid2FZaWpkS1l0Y1dydnE4WGQraFdITmxvOWZLY0lraGY1Qk53Uy9GVytZYVZGV1BmOW1hWTMvaW9PakFXS2M2WFl3SFRLbmdPZGJ4ZnJsNnRFcVdmTDFhbG43MzlTaDd1REFXMDNpTjZjZjZ0RUd0UWVYaUxOekszRG9SZWE0eTEiLCJtYWMiOiJmNTVkMGRmYzIwMTg2ZWY0YWM4ZTEzZGE1MTUzM2E5YjYwMjVlMmIwNjUxMDYxMDc3YWE3NDFjNWU4YjExNzE1IiwidGFnIjoiIn0=' \
--header 'Cookie: XSRF-TOKEN=eyJpdiI6IlQ1c3EvSm5sR05vb3owVExOMlZsZHc9PSIsInZhbHVlIjoid2FZaWpkS1l0Y1dydnE4WGQraFdITmxvOWZLY0lraGY1Qk53Uy9GVytZYVZGV1BmOW1hWTMvaW9PakFXS2M2WFl3SFRLbmdPZGJ4ZnJsNnRFcVdmTDFhbG43MzlTaDd1REFXMDNpTjZjZjZ0RUd0UWVYaUxOekszRG9SZWE0eTEiLCJtYWMiOiJmNTVkMGRmYzIwMTg2ZWY0YWM4ZTEzZGE1MTUzM2E5YjYwMjVlMmIwNjUxMDYxMDc3YWE3NDFjNWU4YjExNzE1IiwidGFnIjoiIn0=; laravel_session=eyJpdiI6IlpVWFhCa3hzaFZWbzh5Y24xdWpYYkE9PSIsInZhbHVlIjoiRUJtOHFwQ203ajdVaWFDdUNIUEhKSkg2K1ZGWmNJZkRxTkpWNUhJM21EMkVNaGsyZlU1UlAwQjZiVXVjc0tqczYzSEhLWWVKdUhReUpWbUtDZlZSRS95QWpyMW1kNjJQaUtWNW9leTU5cS9tV2Z2b1k4a1I1SVBYTnRrZEZjQXciLCJtYWMiOiI2NWMzMjZjODJkNWUxZDkzZDFhM2JiYjc4MDNkYzUwOTdmZjY4MDJkNDQwZDBlODRkMDAzYTQwNWMyZGZjNDRiIiwidGFnIjoiIn0='

401:
{
"message": "Unauthenticated."
}

The session is beeing correctly stored on the sessions table:

And there's no other way, I need to use a API Service

Did you uncomment the statefulApi middleware

thats my bootstrap/app.php file:

<?php

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
use Illuminate\Http\Request;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->api(prepend: [
            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        ]);

        $middleware->alias([
            'verified' => \App\Http\Middleware\EnsureEmailIsVerified::class,
        ]);

        //
    })
    ->withExceptions(function (Exceptions $exceptions) {
        $exceptions->shouldRenderJsonWhen(function (Request $request, Throwable $e) {
            if ($request->is('*')) {
                return true;
            }
        });
    })->create();

you're talking about this line: "\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class"? All tests were made with this line uncommented

Frontend url inside the .env? Set referer inside the request, maybe that helps

I've got the same problem...

curl --location --request GET 'http://localhost:8080/api/user/9f580bcf-8721-49f0-987c-060afe4f372d' \
--header 'X-XSRF-TOKEN: ssP4wYyhN1VXbSZ62BxBWC6P19lWz8qk1GUjXUzBzeV6FTHewdYl1BB59iJff2d1t4rvx1aXaDCRFb0tY7IQltUwLPqfGLix5ZHkO3CUR6ApjEjWQzD20z6j181wPxG0' \
--header 'Origin: http://localhost:5173' \
--header 'Cookie: XSRF-TOKEN=eyJpdiI6IlVqZzA5b241akd1OEs3VlF1RGNXM1E9PSIsInZhbHVlIjoic3NQNHdZeWhOMVZYYlNaNjJCeEJXQzZQMTlsV3o4cWsxR1VqWFV6QnplVjZGVEhld2RZbDFCQjU5aUpmZjJkMXQ0cnZ4MWFYYURDUkZiMHRZN0lRbHRVd0xQcWZHTGl4NVpIa08zQ1VSNkFwakVqV1F6RDIwejZqMTgxd1B4RzAiLCJtYWMiOiIyYzY0NTI0ODQ5YjFiYjcxZjkzYjI2Mjc5NmZmNDgwNWZiZjA0NDY4ZTc0ZjlkZGZiNzYwYzU2YTJlODQ1MWZlIiwidGFnIjoiIn0=; laravel_session=eyJpdiI6ImpRTHh3S1djSmxVbXlPUXYxZzN5TXc9PSIsInZhbHVlIjoibnNZVWVqVUFrVEVYVTRBWm1DRWRFQ054Q2NPUE90VlAwaTg5SnZBVDA1ZDNoOGZuaWN4U1lhc2JPNC9uZG8xaDhnZ2RnaWNyZ29BaXBSRytEc1kvcHI5MVJuT3AybDBVdjc5b25IWDFtK3JXK2QrRHpoaWV1K2t1RXZxQzRJY1giLCJtYWMiOiJjYzI5ZjE2ZmI4YWE5NDNjOWY5ZTE3MWM3NjMxOTA3NjIyYWM5ZmRiMWQ1MTI2N2Y4MDFlMWFjZmZkZTljMTc4IiwidGFnIjoiIn0='

My .env frontend url:
FRONTEND_URL=http://localhost:5173

Why are you setting the xsrf token twice in your request?

One is the cookie

Your X-XSRF-TOKEN doesn't look right. Should end with =

Also 401 suggests you need to hit /login first

You should use a better tool than curl tbh. Curl is too bare bones, you have to track the response cookies and manually update for your next request.

It could be 401 because youre using an old session cookie.

I'm always hitting /login, and decoding the XSRF-TOKEN cookie, and then passing on the X-XSRF-TOKEN header, but always got them same 401...

I just sharing the cURL, but I'm actually using APIDog, I just share the cURL so you can see the full request.

This is my last request, and the X-XSRF-TOKEN looks fine, but got the same error:

curl --location --request GET 'http://localhost:8080/api/user/9f580bcf-8721-49f0-987c-060afe4f372d' \
--header 'X-XSRF-TOKEN: eyJpdiI6ImFUMUJyRDlLekl0RUpMRGRlRCtmakE9PSIsInZhbHVlIjoiMTkwZjZJa2ZlN2tOTWdHcFh1K3JWZ2l2MExuazRuU2JiUmJMUmw4R0oyUXNvdFI0amR1SEo2WnBMejd1ZUpPMHVralFEWGU4UVFIb3hOUzRRRnFyd2w4d2Z5dFZBUzlFZEx6TXg3WldIYjRaa2pteS8vR1B5RmJjUERGVGVFT2giLCJtYWMiOiI0N2I4YmNkYjJmN2ZlNzVjMWU1MzA3OGUxNGFiZDczNmE5N2ZhMmEyNGUzNWYyYjk3YTIyNTdhZTAyZTgwNzE5IiwidGFnIjoiIn0=' \
--header 'Origin: http://localhost:5173' \
--header 'Referer: http://localhost:5173' \
--header 'Cookie: XSRF-TOKEN=eyJpdiI6Ii9HelZqMStTdkRYWXp1WTk4OXJmVUE9PSIsInZhbHVlIjoiN3dYSXV0Y3ZrclZJYjRsQ0IyUFp6QkUwWFpiK3g5THNEVkgwQW43RmhzcWl5dVZVTDB2Q2hXVnV1dEhGOHdENXErL3BURVkzNk9ISldxY1pRYkI5VHhhODRWamhqV2pCYlVEeEhOemwwcHNxYmZMc0ZETWovK1UxN3lHdmQveE8iLCJtYWMiOiIxZWFlNTU3N2I4MDQyOWJkNDIzZGYzM2Y5YjFhOTQ5Zjk3M2U5NzRkNDM2MjU2ZTQ1NmRhMThhMDBiZDRhMjMxIiwidGFnIjoiIn0=; laravel_session=eyJpdiI6Ijd5TFRNSmlEU2dZVDBlZHh0TWNaYlE9PSIsInZhbHVlIjoibElmZ2poUWwxYytGejM0bVd6SlJidUxQd3JjUlJGRzBPcDVjajNiTkNKZmpIT3puTW1zeThFNXY2VE4vSlNaRURPeVk4WjNZdFJqY1VyUlAwUFRIbE1BSXZGcklwL2pMdTFRY3lIRDlZMU96bnVlSThRcjBWVkZvdlVReHp3WmYiLCJtYWMiOiJhN2M2NTBmOGQ5ZThjNmQ4NWM1NWI2NmY2MjJjYjM3ZjE4NzdkMjhhODc4OTVkYWNlMzUyMDdhODYxOGEyZGRhIiwidGFnIjoiIn0='

I'm almost giving up honestly, 4+ days just to set up a simple API tool like API Dog, it should be a industry standard... 😢

Why arent you just using postman?

@iron granite, its the same... They are simply API tools

Yes, but I have managed to do this in postman? Plus it sets the cookie automaticlly you dont need to pass it like this. And there are articles helping you with postman

I never used Api dog tho so I cant speak that much of it

I'll try, but even with no platform at all I'm receiving the same error

So you aren't updating the session cookie?

Last sentence

And why is your XSRF-TOKEN different from the X-XSRF-TOKEN

They should be the same except the X-XSRF-TOKEN is uri decoded