[SOLVED]Laravel Passport - Automatically bypass OAuth for local Javascript requests instead of displaying "Unauthenticated."

I've got Passport up and running. My application contains JavaScript AJAX that connects to my API. I'm trying to make it so it just works based on the Session instead of having to go through the whole OAuth system.
In the documentation, it looks like this is possible: https://laravel.com/docs/5.4/passport#consuming-your-api-with-javascript
However, I'm currently getting "Unauthenticated."
Kernel.php:

protected $middlewareGroups = [
    'web' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
        // \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\VerifyCsrfToken::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
    ],

    'api' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Session\Middleware\StartSession::class,
        \App\Http\Middleware\VerifyParametersMiddleware::class,
        'throttle:60,1',
        'bindings',
    ],
];

An example api.php route:
Route::group(['middleware' => ['auth:api']], function () { Route::resource('canvas-item', 'CanvasItemController', [ 'only' => [ 'index', // GET api/canvas-item 'store', // POST api/canvas-item 'update', // PUT api/canvas-item/{canvas-item-id} 'destroy' // DELETE api/canvas-item/{canvas-item-id} ], ] ); });
An example JavaScript request:

function ajaxRequest() {
    $.APIAjax({
        url: '',
        type: 'POST',
        data: {
             testing: null
        },
        success: function(jsonResponse) {},
        error: function(jsonResponse) {}
    });
}

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': token
    }
});

The headers that the documentation is asking for have been set correctly:

X-CSRF-TOKEN    
"<tokenhere>"
X-Requested-With    
"XMLHttpRequest"

Any ideas of how I can get past 'Unauthenticated.' if the request is coming from the same server?
Thanks!


via Toby Mellor