Http Post in laravel using fetch api giving TokenMismatchException

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# Solving the TokenMismatchException: Making HTTP POST Requests with Fetch in Laravel As a senior developer working with modern JavaScript frontends and robust backend frameworks like Laravel, you frequently run into synchronization issues when trying to bridge the gap between client-side requests and server-side security mechanisms. A very common stumbling block is making an HTTP POST request using the `fetch` API while dealing with Laravel's built-in CSRF protection, often resulting in a cryptic `TokenMismatchException`. This post will dive into why your `fetch` call might be failing where jQuery AJAX succeeds, and provide the correct, secure methodology for handling token transmission in modern API interactions. ## The Conflict: Why Fetch Fails Where AJAX Succeeds You are encountering this issue because of how Laravel's CSRF protection is designed to work, especially concerning cross-origin requests and cookie handling. When you use jQuery AJAX with a standard form submission or `data` payload, the browser handles setting necessary cookies (including session tokens) automatically based on the context of the request originating from the same domain. This often allows Laravel's middleware (`VerifyCsrfToken`) to correctly validate the token present in the request. However, when you switch to the native `fetch` API, especially when using options like `mode: 'no-cors'`, you are essentially bypassing some of the standard browser mechanisms that facilitate secure session and cookie exchange across origins. The server receives the request, but it fails to find or correctly validate the expected CSRF token because the context provided by the `fetch` call is incomplete for Laravel's security checks. The error `TokenMismatchException in VerifyCsrfToken.php` confirms that the application logic is running, but the security layer rejected the request due to a missing or invalid token validation step. ## The Solution: Correctly Handling Tokens in Fetch API Calls For modern API interactions in Laravel, especially when dealing with external clients (like SPAs), relying solely on CSRF tokens for every cross-origin request can be cumbersome. A more robust and modern approach is to use token-based authentication methods like **Laravel Sanctum** or standard **API Tokens**. However, if you *must* maintain the CSRF flow for specific requests, here is how you adjust your `fetch` call to correctly send the token, focusing on proper headers rather than relying on form action attributes. ### Method 1: Sending the Token via a Custom Header (Recommended Practice) Instead of trying to mimic an old form submission structure in `fetch`, the best practice is to treat the request as a pure API interaction and pass the token explicitly in an HTTP header. This is cleaner, more explicit, and works better