When you run php artisan passport:install, Laravel attempts to do the following:
- Generate encryption keys (
oauth-public.keyandoauth-private.key). - Publish Passportโs migrations if not already present.
- Run those migrations (if you choose โyesโ).
- Create the default OAuth clients (Personal and Password).
Running php artisan passport:install is a crucial setup step when using Laravel Passport for API authentication. Here’s a full explanation of why it’s needed and what it does:
โ
Why Run php artisan passport:install?
๐ง 1. Generates Encryption Keys
- Laravel Passport uses encryption to securely issue and validate access tokens.
passport:installgenerates:- A private key: used to sign access tokens.
- A public key: used to verify the tokens on future requests.
๐ These keys are stored in:
storage/oauth-private.key
storage/oauth-public.key
Code language: PHP (php)๐ These keys are essential for the security of your API tokens.
๐ซ 2. Creates OAuth Clients
It automatically creates two default OAuth2 clients in the oauth_clients table:
a. Personal Access Client
- Used when issuing tokens via
$user->createToken('token-name'). - Good for first-party apps or backend-only workflows.
b. Password Grant Client
- Used for username/password login via the
/oauth/tokenroute. - Commonly used in mobile apps and SPAs (single-page apps).
These clients have a unique Client ID and Client Secret, which are used to obtain tokens programmatically.
๐ What Happens Behind the Scenes?
When you run:
php artisan passport:install
Code language: CSS (css)Laravel does the following:
- Generates
oauth-public.keyandoauth-private.key. - Creates one Personal Access Client.
- Creates one Password Grant Client.
- Stores all client data in the
oauth_clientstable. - Outputs the client IDs and secrets in the console.
๐ When Should You Run It?
- โ When setting up Laravel Passport for the first time.
- ๐ When you accidentally delete the keys or clients.
- ๐ ๏ธ When migrating environments (you might need to re-run with
--force).
โ ๏ธ Tip:
If you already have keys and clients, and re-running the command causes issues, use the --force flag only if you’re resetting the environment:
php artisan passport:install --force
Code language: CSS (css)โ ๏ธ Be careful: this will overwrite existing keys and may invalidate current tokens.
โ Summary
| Action | Purpose |
|---|---|
| Generate OAuth keys | Sign and verify secure access tokens |
| Create Personal Access Client | Issue tokens using createToken() method |
| Create Password Grant Client | Enable login via /oauth/token |
| Store keys and clients | In storage/ and oauth_clients table |
Hereโs a clear explanation of the difference between a Personal Access Client and a Password Grant Client in Laravel Passport:
๐ 1. Personal Access Client
โ Purpose:
Used when users authenticate via a token directly, usually through first-party apps (like your own web or mobile app). Ideal for issuing long-lived personal tokens.
๐ How it works:
- The user logs in through a traditional session (browser or API).
- The server generates a personal access token for the user using the
createToken()method:$token = $user->createToken('Token Name')->accessToken; - No client credentials (ID/secret) are required on the frontend.
๐ Use Case:
- Admin panels
- First-party web or mobile apps
- API testing via Postman
๐ Token Flow:
User logs in โ backend creates personal token โ returns to frontend.
๐ 2. Password Grant Client
โ Purpose:
Used when you want the user to provide email/password via API and obtain an access token programmatically. Often used by mobile apps or single-page apps (SPA).
๐ How it works:
- The client app sends a request to the
/oauth/tokenendpoint:POST /oauth/token Content-Type: application/json { "grant_type": "password", "client_id": "8", "client_secret": "your-password-client-secret", "username": "user@example.com", "password": "secret", "scope": "*" } - If valid, Passport issues an access token.
๐ Use Case:
- Mobile apps logging in users
- SPAs with direct login forms
๐ Token Flow:
Frontend (mobile/web) sends user credentials + client credentials โ gets token from /oauth/token.
โ Summary Table
| Feature | Personal Access Client | Password Grant Client |
|---|---|---|
| Authentication | Server-side only | User credentials via API |
| Use Case | First-party web/mobile | Mobile apps / SPAs |
| Client ID/Secret Needed? | โ No | โ Yes |
| Example Method | $user->createToken() | /oauth/token endpoint with credentials |
| User Interaction | Already logged in via session | Login via email/password in the app |
| Security Consideration | Tokens created securely server-side | Password passed through API (use HTTPS) |
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals