How to send authentication header to laravel sanctum with axios

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Sending Authentication Headers to Laravel Sanctum with Axios: A Deep Dive

Working with distributed applications—where a Laravel backend serves an API and an independent client (like one using Axios) consumes it—often introduces specific challenges around authentication token transmission. When dealing with Laravel Sanctum, ensuring that the authorization header is correctly interpreted by the Sanctum middleware is crucial. As a senior developer, I often encounter situations where the token is present in the request but the server still returns a 401 Unauthorized error.

This post will diagnose why your previous attempt failed and provide the robust, correct method for sending Laravel Sanctum tokens via Axios to protected routes.

The Anatomy of the Problem: Why You Received a 401

You correctly identified that the standard way to send an authentication token is by including it in the Authorization header using the Bearer scheme: Authorization: Bearer <token>.

However, when this method fails with a 401 error, the issue usually lies not in how you format the header on the client side, but in how the server-side Sanctum middleware is configured or how the token itself is being validated.

In the context of Laravel Sanctum, there are two primary ways Sanctum handles authentication: using session cookies (for SPAs communicating with Laravel) or using API tokens (for mobile apps or decoupled services). If you are relying purely on API tokens sent via headers, the setup must be explicit.

The most common reason for failure is often related to CORS configuration or ensuring that the Sanctum guard is correctly set up to inspect the Authorization header before processing the request. When building robust APIs using Laravel, understanding this interaction between HTTP standards and framework middleware is key, aligning with best practices promoted by systems like those found at laravelcompany.com.

The Correct Implementation for Axios and Sanctum

To successfully authenticate requests to your Sanctum-protected routes from an external client using Axios, you must ensure the token is attached correctly to every request.

Here is the step-by-step breakdown of the correct approach:

1. Token Retrieval (Client Side)

Ensure your client retrieves the token securely (e.g., from localStorage or secure cookies set by Sanctum).

import axios from "axios";

// Assume this token has been correctly retrieved from storage
const token = localStorage.getItem('sanctum_token'); 
const basePath = "http://localhost:8000/api/";

if (!token) {
    console.error("Authentication token not found.");
    return;
}

2. Sending the Request (Axios Side)

Attach the token to the Authorization header exactly as required by the Bearer scheme. Your original approach was structurally correct, but we will refine it for clarity and ensure robust error handling.

axios.get(basePath + 'templates', {
    headers: {
        'Authorization': `Bearer ${token}`
    }
})
.then(response => {
    console.log('Success:', response.data);
})
.catch(error => {
    // Handle the 401 error specifically
    if (error.response && error.response.status === 401) {
        console.error("Authentication Failed: Token is invalid or missing.", error.response.data);
    } else {
        console.error("An error occurred:", error);
    }
});

3. Server-Side Verification (Laravel Sanctum)

On the Laravel backend, ensure your route group explicitly uses the auth:sanctum middleware. This middleware is designed to intercept incoming requests and check for a valid token in the Authorization header before allowing access to the route handler.

// routes/api.php

use App\Http\Controllers\TemplateController;
use Illuminate\Support\Facades\Route;

Route::group(['middleware' => ['auth:sanctum']], function () {
    // This route will now only be accessible if a valid Sanctum token is present in the header
    Route::get('/templates', [TemplateController::class, 'index']);
});

If you are still encountering issues after confirming the client-side headers and server-side middleware, inspect the full response from the server. A 401 error often means Sanctum did not find a token or the token provided does not belong to an authenticated user. Debugging this flow systematically is essential for maintaining strong API security architecture.

Conclusion

Sending authentication headers with Axios to a Laravel Sanctum backend is fundamentally about adhering to HTTP standards while ensuring framework middleware correctly implements those standards. By explicitly setting the Authorization: Bearer <token> header, you are providing the necessary information for the Sanctum middleware to perform its validation check. Always verify that your token retrieval mechanism on the client side is sound and that your Laravel routes are configured to expect this token format. Mastering this interaction ensures secure and seamless communication between your distributed application components.