CSRF token mismatch in Laravel - Rocketeers app

  [ Rocketeers ](/)   

[Login](https://rocketeersapp.com/login) 

 On this page

 Knowledge
---------

CSRF token mismatch in Laravel
==============================

### [\#Laravel](https://rocketeersapp.com/knowledge/laravel)

A CSRF token mismatch means Laravel rejected a request because its token was missing, wrong, or expired. It is the same protection behind the 419 page, here is how to send the token correctly.

 Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 23, 2026 · 1 minute read

1. [About the error](#content-about-the-error)
2. [Why do I see this error](#content-why-do-i-see-this-error)
3. [Solution](#content-solution)
4. [Forms](#content-forms)
5. [AJAX requests](#content-ajax-requests)
6. [Expired sessions](#content-expired-sessions)
7. [Stateless routes (APIs, webhooks)](#content-stateless-routes-apis-webhooks)

[\#](#content-about-the-error "Permalink")About the error
---------------------------------------------------------

You'll see `CSRF token mismatch.` in an exception or API response, or the user lands on a [419 Page Expired](/419-page-expired-laravel) page. Laravel verifies a token on every state-changing request (`POST`, `PUT`, `PATCH`, `DELETE`) to block Cross-Site Request Forgery. If the token doesn't match the one in the session, the request is rejected. This is unrelated to a [CORS error](/cors-error-no-access-control-allow-origin), a separate browser-enforced cross-origin check that's easy to confuse with it.

[\#](#content-why-do-i-see-this-error "Permalink")Why do I see this error
-------------------------------------------------------------------------

- A form was submitted **without the `@csrf` token**.
- An **AJAX request** didn't send the `X-CSRF-TOKEN` header.
- The session **expired** (the page sat open too long), so the token is stale.
- A **session/cookie problem**: wrong `SESSION_DOMAIN`, or cookies blocked behind a proxy.

[\#](#content-solution "Permalink")Solution
-------------------------------------------

### [\#](#content-forms "Permalink")Forms

Add the `@csrf` Blade directive inside every form. It outputs the hidden `_token` field Laravel checks:

 ```

    @csrf

```

### [\#](#content-ajax-requests "Permalink")AJAX requests

Expose the token in a meta tag and send it as a header on every request. With Axios:

 ```

```

 ```
window.axios.defaults.headers.common['X-CSRF-TOKEN'] =
    document.querySelector('meta[name="csrf-token"]').content;

```

With jQuery:

 ```
$.ajaxSetup({
    headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') }
});

```

### [\#](#content-expired-sessions "Permalink")Expired sessions

If users hit this after leaving a tab open, the token expired with the session. You can't avoid expiry entirely, but you can detect a 419 in your AJAX layer and refresh the page or token gracefully rather than failing silently.

### [\#](#content-stateless-routes-apis-webhooks "Permalink")Stateless routes (APIs, webhooks)

CSRF protection is for session-based, browser-driven requests. For a stateless API or an incoming webhook it doesn't apply, exclude those routes and authenticate with tokens or signed URLs instead. See [disabling CSRF in Laravel](/disable-csrf-in-laravel) for how to exclude specific routes.

### Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

  Fill in your email address to receive updates  Subscribe 

#### More in [\#Laravel](https://rocketeersapp.com/knowledge/laravel)

- [How to use different PHP versions with Laravel Valet](https://rocketeersapp.com/knowledge/different-php-versions-laravel-valet)
- [Disable cookies in Laravel](https://rocketeersapp.com/knowledge/disable-cookies-in-laravel)
- [Logging in Laravel](https://rocketeersapp.com/knowledge/laravel-logging)
- [How to check which Laravel version of your app is using](https://rocketeersapp.com/knowledge/check-laravel-version)
- [Disable CSRF in Laravel](https://rocketeersapp.com/knowledge/disable-csrf-in-laravel)
- [Creating an encrypted cookie value in Laravel](https://rocketeersapp.com/knowledge/creating-an-encrypted-cookie-value-in-laravel)

 [View all 19 articles →](https://rocketeersapp.com/knowledge/laravel)