How to automatically add X-CSRF-TOKEN with jQuery ajax request in Laravel

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

How to Automatically Add X-CSRF-TOKEN with jQuery AJAX Requests in Laravel

As developers working with Laravel, we frequently deal with asynchronous requests using JavaScript libraries like jQuery or native fetch API. When making these requests to a Laravel backend, security dictates that we must include the Cross-Site Request Forgery (CSRF) token to ensure the request originated from our application and not an external malicious site.

The challenge often lies in automating the inclusion of this token for every AJAX call without manually fetching and appending it to the data object each time. This guide will walk you through the most robust and idiomatic way to handle CSRF tokens with your jQuery AJAX requests in a Laravel environment.

Understanding Laravel's CSRF Mechanism

Laravel automatically sets up CSRF protection by embedding a unique token within every session. To protect against CSRF attacks, Laravel requires that state-changing requests (POST, PUT, DELETE) include this token.

In Blade templates, Laravel provides the helper function {{ csrf_token() }} which generates the necessary token string. This token is typically placed in a hidden input field within your HTML forms.

<input type="hidden" name="_token" value="{{ csrf_token() }}">

When a standard HTML form submits, this token is sent automatically. However, for dynamic AJAX requests, we need to replicate this behavior.

The Solution: Sending the Token in AJAX Data

The most common and recommended way to pass the CSRF token in an AJAX request is by including it as a parameter within the request data itself (usually in the data object for POST requests). This aligns perfectly with how Laravel expects the token to be validated.

Implementation with jQuery AJAX

When setting up your jQuery AJAX call, you simply include the token from your Blade view directly into the payload:

$.ajax({
    type: 'POST',
    url: '/email/unique',
    data: { 
        "_token": "{{ csrf_token() }}", // The crucial part: embedding the Laravel token
        "email": email 
    },
    success: function(data) {
        console.log(data);
    },
    error: function(xhr, status, error) {
        console.error("AJAX Error:", status, error);
    }
});

Why this works:

  1. Token Retrieval: The {{ csrf_token() }} directive executes on the server side (when the Blade file is rendered) and outputs the actual token string into your JavaScript payload.
  2. Laravel Validation: When the request hits your Laravel controller, Laravel automatically checks if the submitted _token matches the token stored in the session. If they match, the request proceeds; otherwise, it is rejected with a 419 error.

This method ensures that every AJAX request carries its own valid, context-specific CSRF token, making your application secure and adhering to Laravel's security standards. For more advanced discussions on framework architecture and security best practices in Laravel, exploring resources from the official Laravel Company is always highly beneficial.

Alternative: Using Custom Headers (Less Common for Basic CSRF)

While embedding the token in the body data is standard for form-based protection, some APIs or services might require tokens to be passed via HTTP headers. If your backend setup demands this, you can adapt the approach:

$.ajax({
    type: 'POST',
    url: '/email/unique',
    headers: {
        'X-CSRF-TOKEN': '{{ csrf_token() }}' // Sending token in a custom header
    },
    data: { 
        "email": email // Only data that isn't the token itself goes here
    },
    success: function(data) {
        console.log(data);
    }
});

While this is technically possible, relying on the standard _token parameter in the request body remains the most straightforward and framework-integrated approach when working within a typical Laravel MVC structure.

Conclusion

Automatically adding the CSRF token to your jQuery AJAX requests in Laravel is achieved by leveraging Blade's built-in {{ csrf_token() }} helper function directly within the data object of your .ajax() call. This method ensures that you maintain robust security while keeping your front-end code clean and efficient. Always prioritize these framework-provided methods when building secure applications, as demonstrated by the principles emphasized by Laravel Company.