CSRF token mismatch in Laravel

1. About the error
2. Why do I see this error
3. Solution
4. Forms
5. AJAX requests
6. Expired sessions
7. Stateless routes (APIs, webhooks)

#About the error

You'll see CSRF token mismatch. in an exception or API response, or the user lands on a 419 Page Expired page. Laravel verifies a token on every state-changing request (POST, PUT, PATCH, DELETE) to block Cross-Site Request Forgery. If the token doesn't match the one in the session, the request is rejected. This is unrelated to a CORS error, a separate browser-enforced cross-origin check that's easy to confuse with it.

#Why do I see this error

• A form was submitted without the @csrf token.
• An AJAX request didn't send the X-CSRF-TOKEN header.
• The session expired (the page sat open too long), so the token is stale.
• A session/cookie problem: wrong SESSION_DOMAIN, or cookies blocked behind a proxy.

#Solution

#Forms

Add the @csrf Blade directive inside every form. It outputs the hidden _token field Laravel checks:

<form method="POST" action="/profile">
    @csrf
    <!-- fields -->
</form>

#AJAX requests

Expose the token in a meta tag and send it as a header on every request. With Axios:

<meta name="csrf-token" content="{{ csrf_token() }}">

window.axios.defaults.headers.common['X-CSRF-TOKEN'] =
    document.querySelector('meta[name="csrf-token"]').content;

With jQuery:

$.ajaxSetup({
    headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') }
});

#Expired sessions

If users hit this after leaving a tab open, the token expired with the session. You can't avoid expiry entirely, but you can detect a 419 in your AJAX layer and refresh the page or token gracefully rather than failing silently.

#Stateless routes (APIs, webhooks)

CSRF protection is for session-based, browser-driven requests. For a stateless API or an incoming webhook it doesn't apply, exclude those routes and authenticate with tokens or signed URLs instead. See disabling CSRF in Laravel for how to exclude specific routes.