[ 'api/*', 'oauth/*', // Laravel Passport routes 'sanctum/csrf-cookie', 'storage/*', ], 'allowed_methods' => ['*'], // Replace * with specific domains in production 'allowed_origins' => ['*'], // e.g., ['https://your-frontend.com'] 'allowed_origins_patterns' => [], 'allowed_headers' => ['*'], 'exposed_headers' => [ 'Authorization', // So frontend can read access token from headers (if needed) 'X-CSRF-TOKEN', ], 'max_age' => 0, 'supports_credentials' => true, // Needed for cookie or session-based auth ];