How do I install Laravel Passport in a Laravel 10+ project?

Run `composer require laravel/passport` and then execute `php artisan passport:install`. This creates the necessary tables and adds the Passport service provider. Ensure you’re using Laravel 10+ and PHP 8.1+ for compatibility.

Which Laravel versions does Passport v13.7.3 support?

Passport v13.7.3 is fully compatible with Laravel 10, 11, and 12. It also works with Laravel 13, though the team recommends testing thoroughly if using newer Laravel features like the app service provider changes.

Can I use Passport for a single-page application (SPA) with React/Vue?

Yes, Passport supports PKCE (Proof Key for Code Exchange), which is ideal for SPAs. Use the `password` grant for server-side apps and `authorization_code` with PKCE for SPAs. Configure your frontend to handle OAuth2 redirects and token storage securely.

How do I revoke tokens in Passport for security compliance?

Use `Passport::tokens()->where('id', $tokenId)->delete()` to revoke access tokens manually. For refresh tokens, revoke them via `Passport::personalAccessTokens()->where('id', $tokenId)->delete()`. Enable auto-revocation by setting `refresh_tokens_expire_in` in your config.

Does Passport support OAuth2 2.1 features like token binding?

Passport v13.7.3 does not yet support OAuth2 2.1 features like token binding. It adheres to OAuth2.0 (RFC 6749). If you need 2.1 features, monitor the Laravel team’s roadmap or consider third-party extensions like `spatie/laravel-oauth-server`.

How can I test Passport authentication in Laravel tests?

Use `Passport::actingAs($user)` in your tests to simulate authenticated requests. For API tests, combine it with `Http::actingAs($user)`. Mock token generation with `Passport::fake()` if needed. Works seamlessly with Pest or PHPUnit.

What are the performance implications of Passport in production?

Passport is optimized for performance but can become a bottleneck under extreme load. Use Redis for token caching (`passport:tokens` table) and consider scaling your database. For high-throughput APIs, benchmark with tools like k6 before deployment.

Can I customize Passport’s token expiration or scopes?

Yes, customize token lifetimes via `access_tokens_expire_in` and `refresh_tokens_expire_in` in `config/auth.php`. For scopes, extend the `Passport::tokensCan()` method or create custom middleware to validate scopes dynamically.

How do I secure Passport against client secret leaks?

Passport hashes client secrets by default in v13.x, reducing exposure. Use HTTPS, enforce `EnsureClientIsResourceOwner` middleware, and rotate secrets regularly. For public clients (no secrets), use PKCE or OAuth2 device flow.

What alternatives exist if Passport doesn’t fit my needs?

Consider `spatie/laravel-oauth-server` for more granular OAuth2 control or `tylerotga/laravel-eloquent-oauth-passport` for legacy systems. For JWT-only APIs, `tymon/jwt-auth` is lighter but lacks OAuth2 features. Evaluate based on your need for grants, scopes, or PKCE.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Passport Laravel Package

laravel/passport

Laravel Passport provides an OAuth2 server for Laravel, enabling API authentication with personal access tokens, password and authorization code grants, and client credentials. Integrates with Laravel’s auth system for secure, standards-based token issuing.

View on GitHub

Deep Wiki

Context7

Laravel Passport is an OAuth2 server and API authentication package for Laravel, designed to make issuing and managing access tokens straightforward. It helps you secure first-party and third-party API access using familiar Laravel conventions.

Use Passport to implement robust token-based auth flows while keeping configuration and integration clean and maintainable.

Provides a full OAuth2 authorization server for Laravel apps
Supports access tokens (and common OAuth2 grant types) for API auth
Integrates with Laravel’s authentication system and middleware
Offers tooling to manage clients, tokens, and scopes
Open-source and maintained under the MIT license

Frequently asked questions about Passport

How do I install Laravel Passport in a Laravel 10+ project?: Run `composer require laravel/passport` and then execute `php artisan passport:install`. This creates the necessary tables and adds the Passport service provider. Ensure you’re using Laravel 10+ and PHP 8.1+ for compatibility.
Which Laravel versions does Passport v13.7.3 support?: Passport v13.7.3 is fully compatible with Laravel 10, 11, and 12. It also works with Laravel 13, though the team recommends testing thoroughly if using newer Laravel features like the app service provider changes.
Can I use Passport for a single-page application (SPA) with React/Vue?: Yes, Passport supports PKCE (Proof Key for Code Exchange), which is ideal for SPAs. Use the `password` grant for server-side apps and `authorization_code` with PKCE for SPAs. Configure your frontend to handle OAuth2 redirects and token storage securely.
How do I revoke tokens in Passport for security compliance?: Use `Passport::tokens()->where('id', $tokenId)->delete()` to revoke access tokens manually. For refresh tokens, revoke them via `Passport::personalAccessTokens()->where('id', $tokenId)->delete()`. Enable auto-revocation by setting `refresh_tokens_expire_in` in your config.
Does Passport support OAuth2 2.1 features like token binding?: Passport v13.7.3 does not yet support OAuth2 2.1 features like token binding. It adheres to OAuth2.0 (RFC 6749). If you need 2.1 features, monitor the Laravel team’s roadmap or consider third-party extensions like `spatie/laravel-oauth-server`.
How can I test Passport authentication in Laravel tests?: Use `Passport::actingAs($user)` in your tests to simulate authenticated requests. For API tests, combine it with `Http::actingAs($user)`. Mock token generation with `Passport::fake()` if needed. Works seamlessly with Pest or PHPUnit.
What are the performance implications of Passport in production?: Passport is optimized for performance but can become a bottleneck under extreme load. Use Redis for token caching (`passport:tokens` table) and consider scaling your database. For high-throughput APIs, benchmark with tools like k6 before deployment.
Can I customize Passport’s token expiration or scopes?: Yes, customize token lifetimes via `access_tokens_expire_in` and `refresh_tokens_expire_in` in `config/auth.php`. For scopes, extend the `Passport::tokensCan()` method or create custom middleware to validate scopes dynamically.
How do I secure Passport against client secret leaks?: Passport hashes client secrets by default in v13.x, reducing exposure. Use HTTPS, enforce `EnsureClientIsResourceOwner` middleware, and rotate secrets regularly. For public clients (no secrets), use PKCE or OAuth2 device flow.
What alternatives exist if Passport doesn’t fit my needs?: Consider `spatie/laravel-oauth-server` for more granular OAuth2 control or `tylerotga/laravel-eloquent-oauth-passport` for legacy systems. For JWT-only APIs, `tymon/jwt-auth` is lighter but lacks OAuth2 features. Evaluate based on your need for grants, scopes, or PKCE.

View on GitHub

Stars

3,401

Favorites

3,452

Forks

800

Score

63.8

License

MIT

Last release

Apr 7, 2026

Watchers

Downloads

2M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport