Only works on same domain

[timothymarois]

With CSRF and relying on laravel cookies, it appears this can not be opened up to cross-domains. The best setup is to have API and UI on their own isolated domain names. a root and a subdomain. Unless I'm missing something, it doesn't appear that this will work.

[amrnn90]

Hi @timothymarois ,
This should work as long as your API and frontend share the same top-level domain.
From the Laravel Sanctum docs:

In order to authenticate, your SPA and API must share the same top-level domain. However, they may be placed on different subdomains.

You will likely need to add the following to your Laravel's environment variables to avoid authentication issues:

SESSION_DOMAIN=.yourdomain.com

Pay attention to include that dot prefix.

Hope this helps.