Laravel and Lumen passport package

v1.0.5 2022-06-19 18:49 UTC

This package is auto-updated.

Last update: 2023-02-25 08:18:02 UTC


Making Laravel Passport work with Lumen

A simple service provider that makes Laravel Passport work with Lumen


  • PHP >= 8.0
  • Lumen >= 9.0

Installation via Composer

$ composer require imanrjb/passport-auth

Or if you prefer, edit composer.json manually:

    "require": {
        "imanrjb/passport-auth": "^1.0"

Modify the bootstrap flow (bootstrap/app.php file)

// Enable Facades

// Enable Eloquent

// Enable auth middleware (shipped with Lumen)
    'auth' => App\Http\Middleware\Authenticate::class,


Registering Routes

Next, you should call the LumenPassport::routes method within the boot method of your application (AuthServiceProvider.php). This method will register the routes necessary to issue access tokens and revoke access tokens, clients, and personal access tokens:


You can add that into an existing group, or add use this route registrar independently like so;

\PassportAuth\LumenPassport::routes($this->app->router, ['prefix' => 'v1/oauth']);

Migrate and install Laravel Passport

# Publish config files
php artisan vendor:publish --tag=passport-auth

# Create new tables for Passport
php artisan migrate

# Install encryption keys and other necessary stuff for Passport
php artisan passport:install

Installed routes

This package mounts the following routes after you call routes() method (see instructions below):

Verb Path NamedRoute Controller Action Middleware
POST /oauth/token \Laravel\Passport\Http\Controllers\AccessTokenController issueToken -
GET /oauth/tokens \Laravel\Passport\Http\Controllers\AuthorizedAccessTokenController forUser auth
DELETE /oauth/tokens/{token_id} \Laravel\Passport\Http\Controllers\AuthorizedAccessTokenController destroy auth
POST /oauth/token/refresh \Laravel\Passport\Http\Controllers\TransientTokenController refresh auth
GET /oauth/clients \Laravel\Passport\Http\Controllers\ClientController forUser auth
POST /oauth/clients \Laravel\Passport\Http\Controllers\ClientController store auth
PUT /oauth/clients/{client_id} \Laravel\Passport\Http\Controllers\ClientController update auth
DELETE /oauth/clients/{client_id} \Laravel\Passport\Http\Controllers\ClientController destroy auth
GET /oauth/scopes \Laravel\Passport\Http\Controllers\ScopeController all auth
GET /oauth/personal-access-tokens \Laravel\Passport\Http\Controllers\PersonalAccessTokenController forUser auth
POST /oauth/personal-access-tokens \Laravel\Passport\Http\Controllers\PersonalAccessTokenController store auth
DELETE /oauth/personal-access-tokens/{token_id} \Laravel\Passport\Http\Controllers\PersonalAccessTokenController destroy auth

Please note that some of the Laravel Passport's routes had to 'go away' because they are web-related and rely on sessions (eg. authorise pages). Lumen is an API framework so only API-related routes are present.

User model

Make sure your user model uses Passport's HasApiTokens trait, eg.:

class User extends Model
    use HasApiTokens, Authenticatable, Authorizable;

    public function findForPassport($email)
        return $this->where('email', $email)->first();

    public function validateForPassportPasswordGrant($password)
        return Hash::check($password, $this->password);

Different TTLs for different password clients

Laravel Passport allows to set one global TTL for access tokens, but it may be useful sometimes to set different TTLs for different clients (eg. mobile users get more time than desktop users).

Simply do the following in your service provider:

// Second parameter is the client Id
\PassportAuth\LumenPassport::tokensExpireIn(Carbon::now()->addMinutes(50), 2); 

If you don't specify client Id, it will simply fall back to Laravel Passport implementation.

Console command for purging expired tokens

Simply run php artisan passport:purge to remove expired refresh tokens and their corresponding access tokens from the database.

Issue token

// Generate new token with user credential
    $client = Client::whereProvider('users')->first();

    $request = Request::create('/oauth/token', 'POST', [
        'grant_type' => 'password',
        'client_id' => $client->id,
        'client_secret' => $client->secret,
        'username' => $request->email,
        'password' => $request->password,
        'scope' => '*',
        'user_agent' => Browser::platformName() . ", " . Browser::browserFamily(),
        'ip' => request()->ip()

    return app()->handle($request);

// Create route with middleware and return user information
    $router->group(['middleware' => 'auth:api'], function () use ($router) {
        $router->get('/user', function () {
            return \Illuminate\Support\Facades\Auth::user();

Refresh token

// Generate new token with refresh token
    $client = Client::whereProvider('users')->first();

    $request = Request::create('/oauth/token', 'POST', [
        'grant_type' => 'refresh_token',
        'client_id' => $client->id,
        'client_secret' => $client->secret,
        'refresh_token' => $request->refresh_token,
        'scope' => '',

    return app()->handle($request);