How to send csrf_token() inside AngularJS form using Laravel API?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# How to Send CSRF Token() Inside AngularJS Forms Using a Laravel API Building modern, dynamic applications often involves combining powerful frontend frameworks like AngularJS with robust backend APIs provided by Laravel. While the initial setup for fetching data is straightforward, integrating security mechanisms like Cross-Site Request Forgery (CSRF) protection into asynchronous requests can become surprisingly tricky. Many developers run into `500 error`s because they misunderstand how Laravel expects CSRF tokens to be validated during AJAX interactions versus standard form submissions. This post will walk you through the correct, secure, and practical way to handle CSRF token transmission when using an AngularJS frontend to interact with a Laravel API. ## Understanding the CSRF Mismatch The issue you are facing—the `500 error` due to a token mismatch—stems from how Laravel’s built-in CSRF protection works. When a standard HTML form is submitted, the browser automatically includes a hidden input field containing the token generated by `{{ csrf_token() }}`. However, when you use `$http.post()` in AngularJS for an API call, you are making a direct request that bypasses the automatic form submission mechanism. Laravel's default middleware expects this token to be present either in a specific header (like `X-CSRF-TOKEN`) or within the POST body parameters, depending on how your route and filters are configured. Simply passing a token from the client side often fails because the server validation logic doesn't recognize it as the valid session token unless it follows the expected convention. ## The Recommended Solution: API Token Handling For modern RESTful applications built with Laravel and an AJAX frontend, the most robust method is to ensure that the necessary security information is passed via HTTP headers, which is the standard practice for API communication. ### Step 1: Ensure Proper Blade Token Generation First, ensure your Blade view correctly outputs the token, as you have done: ```html ``` This part is correct for traditional form submissions, but we need to adapt it for AJAX. ### Step 2: Sending the Token in the Request Headers (The API Way) Instead of trying to inject the token into the request body parameters like you attempted, send the token explicitly in a custom header. Laravel is designed to look for tokens in specific headers when using routes and filters like those defined by `Route::filter('csrf', ...)` (as seen in many Laravel setups). Modify your AngularJS service call to include the token in the request headers: ```javascript $scope.addItem = function(CSRF_TOKEN) { $http({ method : 'POST', url : '/shop', data : { text: $scope.itemEntry }, // Only pass actual data here headers : { 'Content-Type': 'application/json', // Use JSON for modern APIs 'X-CSRF-TOKEN': CSRF_TOKEN // Pass the token in a specific header } }).then(function(response) { console.log('Success:', response); // Handle success logic here... }).catch(function(error) { console.error('Error during item addition:', error); }); } ``` ### Step 3: Configuring Laravel for Header Validation To make this work seamlessly, you need to ensure your Laravel route and filter are set up to listen for the token in the header. While the default setup often relies on session checks, explicitly validating the header provides clearer control, especially when dealing with decoupled applications. If you are using simple API routes without complex session interaction for every request (which is common in pure REST setups), ensure your route definition allows for this header check. For more advanced security configurations, exploring Laravel's built-in API scaffolding and middleware can simplify these concerns, as documented on the official site at https://laravelcompany.com. ## Conclusion: Best Practices for AngularJS & Laravel Integration The key takeaway is that when bridging an asynchronous framework like AngularJS with a secure backend like Laravel, treat the communication strictly as an API interaction. Avoid trying to replicate traditional HTML form behavior directly in your AJAX calls. By explicitly passing the CSRF token via a custom HTTP header (e.g., `X-CSRF-TOKEN`), you align your frontend request with how modern APIs expect security tokens to be communicated. This approach resolves the mismatch errors because Laravel can successfully validate the token provided in the header against the current session state, ensuring your data operations are both functional and secure. Always prioritize using official Laravel patterns when structuring your API endpoints to maintain security integrity.