Trying to look into this and what could be going wrong , Im assuming you have a vue app on a different domain (non laravel) and you are trying to make requests to laravel on a different domain ? If so, I don’t think you need the card token because you are essentially consuming the api from a “third party app”. Like an iPhone app sending requests to /api. Your bearer / passport is the way it will validate . Csrf is really just a meta tag in laravel that JavaScript reads per user session and gets auto included with each axioms requestfr inside laravel to laravel.

Can I just confirm with you that your logout route is actually inside the same route group /v1 as the other routes and you are not duplicating the route group code for the logout route ?

Thank you so much Cameron! I found the issue after 2 days of scratching my head lol. I checked everything from the Laravel doc, vue, axios, crazy time......

The problem was right there front of my eyes:

axios.post('https://web.testing/api/v1/logout', {
      headers: {
        'Accept': 'application/json',
        'Authorization' : 'Bearer ' + token
      }
      })
      .then(response => {

        context.commit('logout');

      })

If you look closer at the axios.post(), it should contain 3 parameters, and if you only send a header without data, then in the second parameter field, you should add "null", It is when I changed my IDE from Visual Code Studio to PHPSTORM that a "Data hint" field showed up, then I thought.....hey wait a minute, this is not data I am sending but a header....

It now working.

I have to say the whole experience was not fun because I was expecting at least to get a notifications error form Axios, or Laravel to help me find the issue a bit faster:-)

Thanks again for your help and I hope this post will help others.