The complete beginner’s guide to authenticate REST API using Laravel Passport

Sharing is caring!


Laravel Passport
Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes. Passport is built on top of the League OAuth2 server that is maintained by Andy Millington and Simon Hamp.
To get started, install Passport via the Composer package manager:

composer require laravel/passport


The Passport migrations will create the tables your application needs to store clients and access tokens:

php artisan migrate


Next, you should run the passport:install command. This command will create the encryption keys needed to generate secure access tokens. In addition, the command will create “personal access” and “password grant” clients which will be used to generate access tokens:

php artisan passport:install

After running this command, add the Laravel\Passport\HasApiTokens trait to your App\User model. This trait will provide a few helper methods to your model which allow you to inspect the authenticated user’s token and scopes:


namespace App;

use Laravel\Passport\HasApiTokens;
use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
use HasApiTokens, Notifiable;


Next, you should call the Passport::routes method within the boot method of your AuthServiceProvider. This method will register the routes necessary to issue access tokens and revoke access tokens, clients, and personal access tokens:


namespace App\Providers;

use Laravel\Passport\Passport;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
* The policy mappings for the application.
* @var array
protected $policies = [
'App\Model' => 'App\Policies\ModelPolicy',

* Register any authentication / authorization services.
* @return void
public function boot()



Finally, in your config/auth.php configuration file, you should set the driver option of the API authentication guard to passport. This will instruct your application to use Passport’s TokenGuard when authenticating incoming API requests:

'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',

'api' => [
'driver' => 'passport',
'provider' => 'users',


Leave a Reply

Notify of