[Question] Separate endpoints for cookie and token based clients?

[j-jalving]

I'm trying to implement nuxt-auth-sanctum for my Nuxt/Capacitor project that will be deployed to the web and as a native app. For my web build I will use cookie based authentication, but for my native app build I will use token based authentication.

The documentation tells me:

Your API should have at least two endpoints for login and logout which are not covered by stateful middleware, so make sure that you do not use the same endpoints as for cookie-based authentication to avoid CSRF token mismatch errors.

Does this only go for the login and logout endpoints? Or should all my endpoints ('forgot-password', 'user', etc.) have separate versions for clients that use token based authentication?

[manchenkoff]

Hey @j-jalving!

The documentation is written mostly for web apps and the reason why you should have endpoints without stateful middleware is that it expects a CSRF cookie/header which will not be included when you work with a token.

I am not an expert in Capacitor, but I would imagine that when you send a request from a mobile application, you don't have Origin/Referer headers, so I guess it should work even with the same endpoints.

Anyway, just make sure that all requests from your mobile application will not be handled by Laravel as CSRF-compatible.

P.S. I would really appreciate it if you could test it and share the feedback so I can update the docs with a clearer description for mobile apps.