Laravel Password Reset Token

- 1 answer

Okay, this is very beginner, but I'd like an explanation. In the built-in Laravel password reset in the "postReset" method below, it specifies "token"...however, when using {!! csrf_field() !!} in the view, it generate as the input name="_token". Does the _ count as an actual character when matching up the names? Just confused how the database migration uses "token", but the csrf field sets up the input name as "_token".

public function postReset(Request $request)
        $this->validate($request, [
            'token' => 'required',
            'email' => 'required|email',
            'password' => 'required|confirmed|min:6',

        $credentials = $request->only(
            'email', 'password', 'password_confirmation', 'token'

        $response = Password::reset($credentials, function ($user, $password) {
            $this->resetPassword($user, $password);




You don't need a _token for password reset or migration. But it is absolutely needed if you are sending any inputs to the laravel in post method.

Laravel makes it easy to protect your application from cross-site request forgery (CSRF) attacks. Cross-site request forgeries are a type of malicious exploit whereby unauthorized commands are performed on behalf of an authenticated user.


How can i include the csrf token in my form ?

You can include the csrf token by having this inside your form

<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">

Tip :

You can handle the action after the CSRF Token filter inside


Hope this helps you.