* Postman Pre-Request script to append CSRF token in header for POST requests in Laravel
* Sanctum authenticated SPA. Requires active environment with {{url}} variable defined
* for main app domain.
* Postman Interceptor allows appending cookies from browser, but Laravel CSRF middleware
* only validates CSRF in headers or in _token form field, not in cookies. Axios automatically
* appends the CSRF from cookie to headers, but Postman cannot access intercepted cookies
* and use them, so we have to do one pre-request to get the CSRF token, store it
* in environment so it can be reused, and then append it to headers.
// Query CSRF token and append it before request is made
if (pm.request.method !== 'GET') {
if(pm.environment.get('XSRF-TOKEN')) {
key: 'x-xsrf-token',
value: pm.environment.get('XSRF-TOKEN'),
} else{
let csrfRequestUrl = pm.environment.get('url') + '/sanctum/csrf-cookie';
pm.sendRequest(csrfRequestUrl, function(err, res, {cookies}) {
let xsrfCookie ='XSRF-TOKEN');
if (xsrfCookie) {
let xsrfToken = decodeURIComponent(xsrfCookie['value']);
key: 'x-xsrf-token',
value: xsrfToken,
pm.environment.set('XSRF-TOKEN', xsrfToken);