My problem is solved now, sort of. Posting here in case anyone happens to have the same confusion.

So I went to the IRC last night, and a friendly guy named 'luck' informed me that Laravel automagically sets a session every time, but that the auth session is still empty if I use Auth::onceBasic().

I did a dd(Session::all()), and it's correct.

Auth::basic()

array(3) { ["_token"]=> string(40) "zwXXXXXXXXXXXX" ["flash"]=> array(2) { ["old"]=> array(0) { } ["new"]=> array(0) { } } ["login_82XXXXXXXXXXXXXXXXfc"]=> int(1) }

Auth::onceBasic()

array(2) { ["_token"]=> string(40) "eRXXXXXXXXXXXX" ["flash"]=> array(2) { ["old"]=> array(0) { } ["new"]=> array(0) { } } }

He also informed me that sessions can be disabled entirely by setting 'driver' => 'array' in app/config/session.php. But considering that I only want statelessness in a specific route group, this was not an option.

Whether or not it's a bug, I have no idea, but I think it should be okay this way. I still find it weird that my browser is remembering my authentication though, I don't know if that behavior is different if I use cURL. Alternatively, he recommended me to use OAuth instead of basic HTTP, as it has become a de facto auth method for APIs.

I'll mark this post as a solution. :-)

EDIT: Just found out that you actually can set a specific route group to have sessions disabled, by using this solution: http://stackoverflow.com/a/21717582