How to Use Laravel Passport for API Authentication

Why Laravel Needs Passport for API Authentication:

1. API vs Web Authentication: APIs are stateless and use token-based authentication, unlike Laravel’s session-based web auth. Passport handles this with secure OAuth2 tokens.
2. OAuth2 Support: Passport provides full OAuth2 server functionality like token issuance, refresh, and revocation — no need to build it manually.
3. Mobile & SPA Friendly: For mobile and SPA apps, Passport offers secure token-based login via personal or password grant tokens.
4. Easy Token Management: Passport simplifies token handling — generation, expiration, and revocation — for scalable API security.
5. Third-Party API Access: Passport supports external apps with authorization code and client credentials grant types, ideal for public APIs.
6. Secure Route Middleware: Use auth:api middleware from Passport to protect routes, ensuring only valid token requests are allowed.
7. Seamless Laravel Integration: Passport works directly with Laravel’s core (Eloquent, Auth, Middleware), making token auth setup fast and developer-friendly.

Analyzing the Client’s Requirements

When building an API-driven application, understanding the client’s authentication needs is essential. If the client expects secure, token-based access for mobile apps, SPAs, or third-party integrations, Laravel Passport is the right choice. It supports stateless authentication using OAuth2, a widely accepted industry standard.

Laravel Passport offers complete OAuth2 functionality out of the box, including access token issuance, refresh tokens, and revocation. This removes the complexity of building token logic manually and ensures robust security. For frontend apps (like React or Vue) or mobile platforms, Passport’s personal access and password grant tokens allow users to authenticate securely without needing to manage sessions or cookies.

Furthermore, if the client wants third-party applications to access the API, Passport’s authorization code and client credentials grant types enable external services to authenticate just like they do with major platforms (e.g., Google APIs).

With built-in middleware (auth:api) and seamless integration into Laravel’s existing auth system, Passport aligns perfectly with most API-first requirements — making it an ideal solution for developers and clients alike.

Install Laravel Passport Package

First, ensure you have a Laravel project set up. Then install Laravel Passport via Composer:

After installation, run the passport:install command to create the encryption keys and default clients used to generate access tokens.

This will create the necessary tables like oauth_clients, oauth_access_tokens, oauth_refresh_tokens, etc.

Configure AuthServiceProvider

Open the AuthServiceProvider.php file and include the Passport service in the boot() method:

You can also customize token expiration and scopes here if needed.

You may optionally set token expiration in AuthServiceProvider like this:

Also, users can revoke tokens using $user->tokens()->delete() if you implement logout or session invalidation functionality.

Set Passport as API Auth Guard

Tell Laravel to use Passport for API authentication. In config/auth.php, under the guards array, update the api guard to use Passport:

This ensures that API routes will authenticate using Passport tokens.

Add the HasApiTokens Trait to the User Model

In your User model (App\Models\User), add:

Create API Routes

Define the public and protected API routes in routes/api.php:

Here, /login is public, and /user is protected and requires a valid access token.

Create Authentication Controller

Now, create a controller to handle login and authenticated user data. Then implement the login and user methods:

Log in to get an Access Token to proceed with further APIs

If your API uses email/password login to generate a personal access token (like shown in Laravel Passport setup), you can get the access token by requesting the login API.

Access a Protected Route with Bearer Token (cURL Example)

Use the token received in the login response to access any protected route:

Replace YOUR_ACCESS_TOKEN with the actual token from the login response.

Password Grant Token Request (OAuth2 Flow)

If you are using the password grant client (created via php artisan passport: install), then you can use:

Token Revocation: You can also manage tokens using Passport’s built-in tokens table.