How do I install Laravel Passport in a Laravel 11 project?

Run `composer require laravel/passport` and then execute `php artisan passport:install`. This creates the necessary database tables and sets up the OAuth2 server. Ensure your Laravel version is 10/11/13 and PHP 8.1+ for compatibility.

Can Passport replace Sanctum for API authentication in Laravel?

Yes, Passport is a full OAuth2 server, while Sanctum is token-based but not OAuth2-compliant. Use Passport for third-party integrations or if you need OAuth2 grants like authorization code or client credentials. They can coexist if configured with separate guards.

What OAuth2 grant types does Passport support, and which should I use for mobile apps?

Passport supports authorization code, password, client credentials, refresh token, and implicit grants. For mobile apps, use **authorization code with PKCE** (enabled via `Passport::enableImplicitInProduction(false)`) to mitigate code interception attacks.

How do I secure Passport client secrets in production?

Always use `Passport::hash()` when generating client secrets to store hashed values in the database. Avoid storing plaintext secrets. For added security, rotate secrets periodically and restrict access to the `oauth_clients` table.

Does Passport work with Laravel Jetstream or Breeze for authentication?

Yes, Passport integrates seamlessly with Jetstream/Breeze. Use `Passport::routes()` in your `AuthServiceProvider` and configure the `oauth` guard. Jetstream’s default login flow triggers OAuth2 authorization, while Breeze can use Passport for API token generation.

How do I revoke tokens in Passport, and can I automate this?

Use `Passport::tokens()->where('user_id', $userId)->revoke()` to revoke all tokens for a user. For automation, schedule the `passport:revoke` Artisan command or extend the `AccessToken` model to add custom revocation logic (e.g., on user deletion).

What Laravel versions does Passport officially support, and how do I upgrade?

Passport supports Laravel 10, 11, and 13. Upgrading requires running `php artisan passport:migrate` to update database schemas (e.g., UUID clients in v13.x). Always test upgrades in staging first, as some versions introduce breaking changes.

Can I use Passport for microservices communication without a frontend?

Absolutely. Passport’s **client credentials grant** is ideal for microservices. Configure a service account (client) with no redirect URI, and use the `client:client_credentials` grant to authenticate API-to-API calls without user interaction.

How do I add custom scopes or permissions to Passport tokens?

Define scopes in your `Client` model’s `scopes` attribute or dynamically assign them during token issuance. Use middleware like `Passport::tokensCan()` to enforce scope-based authorization (e.g., `if ($user->tokenCan('admin'))`).

Are there performance concerns with Passport in high-traffic APIs?

Passport’s token validation is lightweight, but revocation checks (`revoked()`) can impact latency. Cache token revocation lists in Redis or use `Passport::personalAccessTokensExpireIn()` to limit token lifetimes. Monitor `/oauth/token` endpoint under load.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Passport Laravel Package

laravel/passport

Laravel Passport provides a full OAuth2 server for Laravel, making API authentication simple with access tokens, personal access tokens, and client credentials. Officially maintained, with extensive docs and integrations for securing first- and third-party APIs.

View on GitHub

Deep Wiki

Context7

Laravel Passport provides OAuth2 server support to Laravel.

Frequently asked questions about Passport

How do I install Laravel Passport in a Laravel 11 project?: Run `composer require laravel/passport` and then execute `php artisan passport:install`. This creates the necessary database tables and sets up the OAuth2 server. Ensure your Laravel version is 10/11/13 and PHP 8.1+ for compatibility.
Can Passport replace Sanctum for API authentication in Laravel?: Yes, Passport is a full OAuth2 server, while Sanctum is token-based but not OAuth2-compliant. Use Passport for third-party integrations or if you need OAuth2 grants like authorization code or client credentials. They can coexist if configured with separate guards.
What OAuth2 grant types does Passport support, and which should I use for mobile apps?: Passport supports authorization code, password, client credentials, refresh token, and implicit grants. For mobile apps, use **authorization code with PKCE** (enabled via `Passport::enableImplicitInProduction(false)`) to mitigate code interception attacks.
How do I secure Passport client secrets in production?: Always use `Passport::hash()` when generating client secrets to store hashed values in the database. Avoid storing plaintext secrets. For added security, rotate secrets periodically and restrict access to the `oauth_clients` table.
Does Passport work with Laravel Jetstream or Breeze for authentication?: Yes, Passport integrates seamlessly with Jetstream/Breeze. Use `Passport::routes()` in your `AuthServiceProvider` and configure the `oauth` guard. Jetstream’s default login flow triggers OAuth2 authorization, while Breeze can use Passport for API token generation.
How do I revoke tokens in Passport, and can I automate this?: Use `Passport::tokens()->where('user_id', $userId)->revoke()` to revoke all tokens for a user. For automation, schedule the `passport:revoke` Artisan command or extend the `AccessToken` model to add custom revocation logic (e.g., on user deletion).
What Laravel versions does Passport officially support, and how do I upgrade?: Passport supports Laravel 10, 11, and 13. Upgrading requires running `php artisan passport:migrate` to update database schemas (e.g., UUID clients in v13.x). Always test upgrades in staging first, as some versions introduce breaking changes.
Can I use Passport for microservices communication without a frontend?: Absolutely. Passport’s **client credentials grant** is ideal for microservices. Configure a service account (client) with no redirect URI, and use the `client:client_credentials` grant to authenticate API-to-API calls without user interaction.
How do I add custom scopes or permissions to Passport tokens?: Define scopes in your `Client` model’s `scopes` attribute or dynamically assign them during token issuance. Use middleware like `Passport::tokensCan()` to enforce scope-based authorization (e.g., `if ($user->tokenCan('admin'))`).
Are there performance concerns with Passport in high-traffic APIs?: Passport’s token validation is lightweight, but revocation checks (`revoked()`) can impact latency. Cache token revocation lists in Redis or use `Passport::personalAccessTokensExpireIn()` to limit token lifetimes. Monitor `/oauth/token` endpoint under load.

Popularity trends

Recorded values over time (once-a-day snapshots). May 7, 2026 – Jun 5, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

3,405

Favorites

3,455

Forks

803

Score

61.8

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 3405

+17.0
Forks

input: 803

+15.0
Open issues + PRs

input: 4

+0.4
Releases

input: 37

+11.1
Recency

input: 45

+17.5
Issue opportunity

input: 2

+0.2
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 61.3

Opportunity

45.3

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

69.7
Contribution need

open_issues + open_prs: 4

2.6
Health factor

archived + recency + open issues

×0.98

Total 45.2

License

MIT

Last release

Apr 21, 2026

Watchers

Downloads

2M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai