Laravel

How to authorize laravel-vue broadcasting/auth for private channels?

I no longer understand anything. Nothing works out of the box for me.
In order for a private channel to work, do you need to add tokens? a la passport? sanctum, jwt?

I don’t understand anything (simplified authentication - breeze. Admin panel on vue, which is simply a component built into the / admin route. I want to fasten notifications out of the box so that they are written to the database and broadcast through the pusher to the header.

All notifications go to the pusher - I see them in the logs , but since the channel is private by default, I get a 403 error.

window.Echo = new Echo({
    broadcaster: 'pusher',
    key: process.env.MIX_PUSHER_APP_KEY,
    cluster: process.env.MIX_PUSHER_APP_CLUSTER,
    forceTLS: true,
    // authEndpoint: '/api/auth',
    auth: {
        headers: {
            csrfToken: document.querySelector('meta[name="csrf-token"]').getAttribute('content')
            }
     },
});

// bootstrap.js
window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';

I already disabled all csrf checks.

and removed everything from the channel(
Broadcast::channel('App.Models.User.3', function () {
return true;
});

Request URL: http://dk2021.loc/broadcasting/auth
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 192.168.10.10:80
Referrer Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, private
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
date: Thu, 17 Dec 2020 11:10:35 GMT
Server: nginx/1.15.8
Set-Cookie: academiaru_session=eyJpdiI6IjNxVGk4TFZmbW9jVDUxUCs4RGp5cmc9PSIsInZhbHVlIjoieGdWYjlZcjNQNWxCUE1hYkNSVVhobHBLbWRJNDUxWHArTzFiR1BhNmZ6K2hSeG11ajdxaHJrVDJocjJGU3dRWldHTG4zdHYzQlcxRWs1OG5NMDBHTU1JWlRUQ1pSS2ROMERUMUNSSFo3YW5ZMnVHSWZlQWEwanFZRVVGOXBBMHkiLCJtYWMiOiIxZDllZTI0NGMyNDFjNzQ3ZjkyZGFmODczYjk3N2FkNmVlZThiMjQ3YzVkNmQzN2YzZGFlY2ViYzg4NWQ4ZWRjIn0%3D; expires=Thu, 17-Dec-2020 15:10:35 GMT; Max-Age=14400; path=/; httponly; samesite=lax
Transfer-Encoding: chunked
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
Cookie: XSRF-TOKEN=eyJpdiI6IlJrL1lIMndiSlZKR2lYdHNRdkUzZkE9PSIsInZhbHVlIjoiNUhEUHR1VFRScGNNUGUwRzEvZFpjdG0xRDBtUENHeGs1WEU4S1hnQkxxRmxiL3gzNDIzQXRlb3dUblgxRXBtMFEwZWl0SnhUZjd5QnNnK3RWVC9IM2JLdkl4dFhkVnZYeCtoOWZGUk1KVmF1UTUyMkNoVUlReTNlaFZhUUVMUmEiLCJtYWMiOiJhYmY0NTQxZTEwY2UwNzQ1Y2FmODA3MjkwZGM0Y2M3ZDc5OTYyZDE0MDkyMjE5NzA4ODE2YTRkYjBkYjVhNjZlIn0%3D; academiaru_session=eyJpdiI6Ijc2d0FPQ2xDY1pCTDJ5TkdKUFUrYUE9PSIsInZhbHVlIjoiZVNacnZsMWtFdWdVai9YQ3l4clU5anNCYThUaXBvQXJZblN0NXhVdVlVYlJndlhPNzRtM2piUXRKVmljWlFkUWtPSStBaHZHa1RSRnoyNHdGOHltdU9tT3N5aE9GbC9LMTN1aWt4NU9hd2lvYXRIMkVMQm1hRjk1RlZkNk5YLzIiLCJtYWMiOiI3OTA1NGY1MzlkNDdmN2FhYzQwMzliZjJhODMwZWRjMGQ1OTc3YzNkMTBkMDc1OTgwMDE2M2JjYTBlYjVmNTQ3In0%3D
csrfToken: CzVWLYeLbajiOAr87Sx0p2nuaT5A6I4NfGF9wxgY
Host: dk2021.loc
Origin: http://dk2021.loc
Referer: http://dk2021.loc/admin/tom/bookings
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
X-CSRF-TOKEN: csrf_token()
socket_id: 131100.13581968
channel_name: private-App.Models.User.3

What else is missing? (Regular channels pass normally.