This is a Laravel passport grant for the SMS.

1.0.0 2018-10-11 02:21 UTC

This package is auto-updated.

Last update: 2022-05-11 10:16:09 UTC


This package is useful to combine your Oauth2 Server with SMS Login.


This package can be installed through Composer.

composer require xutl/laravel-passport-sms

In Laravel 5.5 the service provider will automatically get registered. In older versions of the framework just add the service provider in config/app.php file:

// config/app.php
'providers' => [

How to use

  • Make a POST request to https://your-site.com/oauth/token, just like you would a Password or Refresh grant.
  • The POST body should contain grant_type = sms.
  • The request will get routed to your User::byPassportSmsRequest() function, where you will determine if access should be granted or not.
  • An access_token and refresh_token will be returned if successful.


$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'sms',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'phone' => '13800138000', 
        'verifyCode' => 'SMS verifyCode',

## Example

Here is what a `User::byPassportSmsRequest()` method might look like...

 * Verify and retrieve user by custom token request.
 * @param \Illuminate\Http\Request $request
 * @return \Illuminate\Database\Eloquent\Model|null
 * @throws \League\OAuth2\Server\Exception\OAuthServerException
public function byPassportSmsequest(Request $request)
    try {
                Validator::make($request->all(), [
                    'phone' => [
                    'verifyCode' => [
                        function ($attribute, $value, $fail) use ($request) {
                            if (!SmsVerifyCodeService::make($request->phone)->validate($value, false)) {
                                return $fail($attribute . ' is invalid.');
                return static::phone($request->phone)->first();
            } catch (\Exception $e) {
                throw OAuthServerException::accessDenied($e->getMessage());

In this example, the app is able to authenticate a user based on an phone and ``verifyCode property from a submitted JSON payload. It will return null or a user object. It also might throw exceptions explaining why the token is invalid. The `byPassportSmsRequest` catches any of those exceptions and converts them to appropriate OAuth exception type. If an `phone` is not present on the request payload, then we return `null` which returns an invalid_credentials error response:

  "error": "invalid_credentials",
  "message": "The user credentials were incorrect."