BUT… if your route is not under api/*, then CSRF validation will still run, and Postman does not send a CSRF token by default. This causes Laravel to reject the request with 401 (or sometimes 419, depending on your Laravel version).