is('api/v*/action/*')) { // Exclude public API from CSRF protection // but do not exclude private API endpoints return $next($request); } return parent::handle($request, $next); } }