I've started to secure API calls with Laravel Airlock, when calling a route that's been secured with the middleware auth:airlock unauthenticated calls we're returning a status code of 302 means the route has been found. When 401 unauthenticated should have been returned.
Turns out it was not a Laravel Airlock issue but how Laravel handles ajax calls in order for an API call to be treated as an API call it requires a header called Accept and a value of application/json. With this heading in place, 401 will be returned for unauthenticated calls.
