POST body not captured in fresh Laravel inertia app

[Riley19280]

What were you trying to do?

Create a new laravel react app, install it on and android device, and register a user

What happened?

Validation errors indicating that every form field is required

How to reproduce the bug

1. Create a new laravel app with laravel new my-app, choose react
2. composer require nativephp/mobile
3. update the .env with vars

NATIVEPHP_APP_ID=com.yourcompany.yourapp
NATIVEPHP_APP_VERSION="DEBUG"
NATIVEPHP_APP_VERSION_CODE="1"

4. php artisan native:install
5. php artisan native:run android
6. click register at the top
7. fill out the registration from
8. Click submit
9. Observe all validation errors for the fields you filled out

Debug Output

INFO NativePHP Mobile.

+--------------------+--------+
| Package Version | 3.2.3 |
| PHP Version (Host) | 8.4.1 |
| OS | Darwin |
| OS Version | 23.0.0 |
| Embedded PHP | 8.4 |
+--------------------+--------+

INFO Installed Plugins.

None

INFO Development Tools.

+----------------+--------------------------------------+
| Xcode | Not found |
| Android Studio | Android Studio AndroidStudio2025.3.3 |
| Gradle | Gradle 8.13 |
| Java | openjdk version "21.0.9" 2025-10-21 |
| CocoaPods | Not found |
+----------------+--------------------------------------+

Which operating systems have you seen this occur on?

macOS

Which platforms were you trying to build for?

Android (Device)

Notes

It appears that the post body from the registration request was captured but not found

Details

04-19 22:54:02.337 24877 25008 D PHPMonitor-JS: 📦 POST data captured (fetch/XHR) for: http://127.0.0.1/register reqId=nphp_1_1776653642337 (length=88)
04-19 22:54:02.337 24877 25008 D PHPBridge: Stored POST data for key=nphp_1_1776653642337 (length=88)
04-19 22:54:02.338 24877 25008 D LaravelSecurity: 🔎 Extracting CSRF token from body
04-19 22:54:02.338 24877 25008 D PHPMonitor-JS: 📦 POST data captured (fetch/XHR) for: http://127.0.0.1/register reqId=nphp_1_1776653642338 (length=88)
04-19 22:54:02.338 24877 25008 D PHPBridge: Stored POST data for key=nphp_1_1776653642338 (length=88)
04-19 22:54:02.338 24877 25008 D LaravelSecurity: 🔎 Extracting CSRF token from body
04-19 22:54:02.339 24877 24925 D PHPMonitor: 🔄 Intercepting POST request to http://127.0.0.1/register
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 Origin: http://127.0.0.1
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 X-NativePHP-Req-Id: nphp_1_1776653642337, nphp_1_1776653642338
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 X-Requested-With: XMLHttpRequest
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 Accept: text/html, application/xhtml+xml
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 X-XSRF-TOKEN: eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0=
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 User-Agent: Mozilla/5.0 (Linux; Android 13; SM-N986U Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/146.0.7680.178 Mobile Safari/537.36
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 Referer: http://127.0.0.1/register
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 sec-ch-ua: "Chromium";v="146", "Not-A.Brand";v="24", "Android WebView";v="146"
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 sec-ch-ua-mobile: ?1
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 X-Inertia-Version: aeffa900c7bcbd8bfa1bd404783a0ff9
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 sec-ch-ua-platform: "Android"
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 X-Inertia: true
04-19 22:54:02.339 24877 25008 D PHPMonitor-JS: 📦 POST data captured (form) for: http://127.0.0.1/register path=/register (length=72)
04-19 22:54:02.339 24877 24925 D PHPMonitor-Headers: 📋 Content-Type: application/json
04-19 22:54:02.339 24877 25008 D PHPBridge: Stored POST data for key=http://127.0.0.1/register (length=72)
04-19 22:54:02.339 24877 25008 D PHPBridge: Stored POST data for key=/register (length=72)
04-19 22:54:02.339 24877 25008 D LaravelSecurity: 🔎 Extracting CSRF token from body
04-19 22:54:02.340 24877 25008 D PHPMonitor-JS: 📦 POST data captured (form) for: http://127.0.0.1/register path=/register (length=72)
04-19 22:54:02.340 24877 25008 D PHPBridge: Stored POST data for key=http://127.0.0.1/register (length=72)
04-19 22:54:02.340 24877 25008 D PHPBridge: Stored POST data for key=/register (length=72)
04-19 22:54:02.340 24877 25008 D LaravelSecurity: 🔎 Extracting CSRF token from body
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView: Sending request from WebView: 
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Type: HTML
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   URL: http://127.0.0.1/register
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Method: POST
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Body: 
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Headers: 
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        referer: http://127.0.0.1/register
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        cookie: appearance=system; XSRF-TOKEN=eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0%3D; laravel-session=eyJpdiI6ImVKRFlaY0JQN3Z2N1ZGK3Qvd3pYWUE9PSIsInZhbHVlIjoicjlEaUcvUzc5T214c1ppWkJxRnMwblIxVTU2ZzJEelNaZzF1WTJENFNtZFRVUmRQM3MvL2JYT1ZSTVlpcW5CalVKdFMxZ0NnREkwVVpVRXZUdVZ5UXRkMjNEQ1czRGpxRGlOdVplZWFMdEZWUXBOekgrajQ1RFBuNVV1TWE4ZVAiLCJtYWMiOiJhNDY4MTk3NDA3MjY4Mjc0OTk5MjRjZDUzOTBlMjEzYzdiZTcwZTQ2NWVkNzY5ODEyMTVhN2U1ZmUyNGIxNmYwIiwidGFnIjoiIn0%3D
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        x-inertia-version: aeffa900c7bcbd8bfa1bd404783a0ff9
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        origin: http://127.0.0.1
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        accept: text/html, application/xhtml+xml
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        sec-ch-ua: "Chromium";v="146", "Not-A.Brand";v="24", "Android WebView";v="146"
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        sec-ch-ua-mobile: ?1
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        x-inertia: true
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        x-nativephp-req-id: nphp_1_1776653642337, nphp_1_1776653642338
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        x-xsrf-token: eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0=
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        sec-ch-ua-platform: "Android"
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        x-requested-with: XMLHttpRequest
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        content-type: application/json
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:        user-agent: Mozilla/5.0 (Linux; Android 13; SM-N986U Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/146.0.7680.178 Mobile Safari/537.36
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Trace: 
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView: 
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Encoding type (form submissions only): null
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Is for main frame? false
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Is redirect? false
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:   Has gesture? true
04-19 22:54:02.340 24877 24925 I RequestInspectorWebView:         
04-19 22:54:02.340 24877 24925 D PHPMonitor: 🌐 Handling PHP request
04-19 22:54:02.391 24877 24925 W PHPBridge: No POST data for key=nphp_1_1776653642337, nphp_1_1776653642338 after 50ms — request may have no body
04-19 22:54:02.392 24877 24925 D LaravelCookies: 📤 Cookie header: XSRF-TOKEN=eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0%3D; laravel-session=eyJpdiI6ImVKRFlaY0JQN3Z2N1ZGK3Qvd3pYWUE9PSIsInZhbHVlIjoicjlEaUcvUzc5T214c1ppWkJxRnMwblIxVTU2ZzJEelNaZzF1WTJENFNtZFRVUmRQM3MvL2JYT1ZSTVlpcW5CalVKdFMxZ0NnREkwVVpVRXZUdVZ5UXRkMjNEQ1czRGpxRGlOdVplZWFMdEZWUXBOekgrajQ1RFBuNVV1TWE4ZVAiLCJtYWMiOiJhNDY4MTk3NDA3MjY4Mjc0OTk5MjRjZDUzOTBlMjEzYzdiZTcwZTQ2NWVkNzY5ODEyMTVhN2U1ZmUyNGIxNmYwIiwidGFnIjoiIn0%3D
04-19 22:54:02.392 24877 24925 D LaravelCookies: 📦 Stored cookies:
04-19 22:54:02.392 24877 24925 D LaravelCookies:    → XSRF-TOKEN = eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0%3D
04-19 22:54:02.392 24877 24925 D LaravelCookies:    → laravel-session = eyJpdiI6ImVKRFlaY0JQN3Z2N1ZGK3Qvd3pYWUE9PSIsInZhbHVlIjoicjlEaUcvUzc5T214c1ppWkJxRnMwblIxVTU2ZzJEelNaZzF1WTJENFNtZFRVUmRQM3MvL2JYT1ZSTVlpcW5CalVKdFMxZ0NnREkwVVpVRXZUdVZ5UXRkMjNEQ1czRGpxRGlOdVplZWFMdEZWUXBOekgrajQ1RFBuNVV1TWE4ZVAiLCJtYWMiOiJhNDY4MTk3NDA3MjY4Mjc0OTk5MjRjZDUzOTBlMjEzYzdiZTcwZTQ2NWVkNzY5ODEyMTVhN2U1ZmUyNGIxNmYwIiwidGFnIjoiIn0%3D
04-19 22:54:02.392 24877 24925 D PHPRequestHandler: 📤 Final request headers: {Origin=http://127.0.0.1, Cookie=XSRF-TOKEN=eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0%3D; laravel-session=eyJpdiI6ImVKRFlaY0JQN3Z2N1ZGK3Qvd3pYWUE9PSIsInZhbHVlIjoicjlEaUcvUzc5T214c1ppWkJxRnMwblIxVTU2ZzJEelNaZzF1WTJENFNtZFRVUmRQM3MvL2JYT1ZSTVlpcW5CalVKdFMxZ0NnREkwVVpVRXZUdVZ5UXRkMjNEQ1czRGpxRGlOdVplZWFMdEZWUXBOekgrajQ1RFBuNVV1TWE4ZVAiLCJtYWMiOiJhNDY4MTk3NDA3MjY4Mjc0OTk5MjRjZDUzOTBlMjEzYzdiZTcwZTQ2NWVkNzY5ODEyMTVhN2U1ZmUyNGIxNmYwIiwidGFnIjoiIn0%3D, X-Requested-With=XMLHttpRequest, Accept=text/html, application/xhtml+xml, X-XSRF-TOKEN=eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0=, User-Agent=Mozilla/5.0 (Linux; Android 13; SM-N986U Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/146.0.7680.178 Mobile Safari/537.36, Referer=http://127.0.0.1/register, sec-ch-ua="Chromium";v="146", "Not-A.Brand";v="24", "Android WebView";v="146", sec-ch-ua-mobile=?1, X-Inertia-Version=aeffa900c7bcbd8bfa1bd404783a0ff9, sec-ch-ua-platform="Android", X-Inertia=true, Content-Type=application/json}
04-19 22:54:02.393 24877 25005 D LaravelCookies: 📤 Cookie header: XSRF-TOKEN=eyJpdiI6IjE3OXBCV2ljdmR2Wjhmc0I3ditXN3c9PSIsInZhbHVlIjoiYjZPNmxUNTc3RTRXZmVOUE5sV2ZSR0doVEgwKzJ1YmU2WkZna3YvVlVKcUl3dy9ONnhXOGl3MFEwUDRzaVBWN2JiK2tjK1BNRTB3Y0o4QlVSbWJlQnlBdHo1ZHZtc3BHejFoM0xJandNSmNlTXFFYW1UYlY4QmkxdlFFUVM5MFMiLCJtYWMiOiJmMTBmYzc5OGRhNGZlMDNlOWU0MDNjZWRkOGFkZDRmMjY5N2U1NDEwNjUxMmFkOTk3MmJmM2E5NGQwY2ZhNjY1IiwidGFnIjoiIn0%3D; laravel-session=eyJpdiI6ImVKRFlaY0JQN3Z2N1ZGK3Qvd3pYWUE9PSIsInZhbHVlIjoicjlEaUcvUzc5T214c1ppWkJxRnMwblIxVTU2ZzJEelNaZzF1WTJENFNtZFRVUmRQM3MvL2JYT1ZSTVlpcW5CalVKdFMxZ0NnREkwVVpVRXZUdVZ5UXRkMjNEQ1czRGpxRGlOdVplZWFMdEZWUXBOekgrajQ1RFBuNVV1TWE4ZVAiLCJtYWMiOiJhNDY4MTk3NDA3MjY4Mjc0OTk5MjRjZDUzOTBlMjEzYzdiZTcwZTQ2NWVkNzY5ODEyMTVhN2U1ZmUyNGIxNmYwIiwidGFnIjoiIn0%3D
04-19 22:54:02.393 24877 25005 I PHP-Native: persistent_dispatch: POST /register
04-19 22:54:02.418 24877 25005 D PHPBridge: Response first 200 chars: HTTP/1.1 302 Found
04-19 22:54:02.418 24877 25005 D PHPBridge: cache-control: no-cache, private
04-19 22:54:02.418 24877 25005 D PHPBridge: date: Mon, 20 Apr 2026 02:54:02 GMT
04-19 22:54:02.418 24877 25005 D PHPBridge: location: http://127.0.0.1/register
04-19 22:54:02.418 24877 25005 D PHPBridge: content-type: text/html; charset=utf-8
04-19 22:54:02.418 24877 25005 D PHPBridge: vary: X-Inertia
04-19 22:54:02.418 24877 25005 D PHPBridge: set-cookie: XSR
04-19 22:54:02.418 24877 25005 D PHPBridge: Found Set-Cookie in raw response!
04-19 22:54:02.419 24877 25005 D PHPBridge: Cookie line: set-cookie: XSRF-TOKEN=eyJpdiI6IkRiNXAvOEV

[phpthinky]

It happen to me too. try adding middleware
/**
* NativePHP body-capture workaround.
*
* NativePHP's JS bridge double-captures POST bodies, generates two req-IDs,
* combines them in the header, then looks up the body under the combined
* string — which never matches. PHP receives an empty body.
*
* The JS layer encodes the payload as JSON in the X-Body header instead.
* This middleware decodes it and merges the data into the request so that
* $request->input() and $request->validate() work normally.
*/
public function handle(Request $request, Closure $next)
{
$raw = $request->header('X-Body');
if ($raw) {
$data = json_decode($raw, true);
if (is_array($data)) {
$request->merge($data);
}
}
return $next($request);
}

[Riley19280]

@phpthinky That did not work for me unfortunately, are there additional changes needed in the js layer?

Made additional changes to the inertia app to get this working.

When initializing the inertia app, add the data to the header

 defaults: {
        visitOptions: (href, options) => {
            return {
                headers: {
                    ...options.headers,
                    'X-Body': JSON.stringify(options.data),
                },
            };
        },
    },