When you run php artisan passport:install, Laravel attempts to do the following:
- Generate encryption keys (
oauth-public.keyandoauth-private.key). - Publish Passportโs migrations if not already present.
- Run those migrations (if you choose โyesโ).
- Create the default OAuth clients (Personal and Password).
Running php artisan passport:install is a crucial setup step when using Laravel Passport for API authentication. Here’s a full explanation of why it’s needed and what it does:
โ
Why Run php artisan passport:install?
๐ง 1. Generates Encryption Keys
- Laravel Passport uses encryption to securely issue and validate access tokens.
passport:installgenerates:- A private key: used to sign access tokens.
- A public key: used to verify the tokens on future requests.
๐ These keys are stored in:
storage/oauth-private.key
storage/oauth-public.key
Code language: PHP (php)
๐ These keys are essential for the security of your API tokens.
๐ซ 2. Creates OAuth Clients
It automatically creates two default OAuth2 clients in the oauth_clients table:
a. Personal Access Client
- Used when issuing tokens via
$user->createToken('token-name'). - Good for first-party apps or backend-only workflows.
b. Password Grant Client
- Used for username/password login via the
/oauth/tokenroute. - Commonly used in mobile apps and SPAs (single-page apps).
These clients have a unique Client ID and Client Secret, which are used to obtain tokens programmatically.
๐ What Happens Behind the Scenes?
When you run:
php artisan passport:install
Code language: CSS (css)
Laravel does the following:
- Generates
oauth-public.keyandoauth-private.key. - Creates one Personal Access Client.
- Creates one Password Grant Client.
- Stores all client data in the
oauth_clientstable. - Outputs the client IDs and secrets in the console.
๐ When Should You Run It?
- โ When setting up Laravel Passport for the first time.
- ๐ When you accidentally delete the keys or clients.
- ๐ ๏ธ When migrating environments (you might need to re-run with
--force).
โ ๏ธ Tip:
If you already have keys and clients, and re-running the command causes issues, use the --force flag only if you’re resetting the environment:
php artisan passport:install --force
Code language: CSS (css)
โ ๏ธ Be careful: this will overwrite existing keys and may invalidate current tokens.
โ Summary
| Action | Purpose |
|---|---|
| Generate OAuth keys | Sign and verify secure access tokens |
| Create Personal Access Client | Issue tokens using createToken() method |
| Create Password Grant Client | Enable login via /oauth/token |
| Store keys and clients | In storage/ and oauth_clients table |
Hereโs a clear explanation of the difference between a Personal Access Client and a Password Grant Client in Laravel Passport:
๐ 1. Personal Access Client
โ Purpose:
Used when users authenticate via a token directly, usually through first-party apps (like your own web or mobile app). Ideal for issuing long-lived personal tokens.
๐ How it works:
- The user logs in through a traditional session (browser or API).
- The server generates a personal access token for the user using the
createToken()method:$token = $user->createToken('Token Name')->accessToken; - No client credentials (ID/secret) are required on the frontend.
๐ Use Case:
- Admin panels
- First-party web or mobile apps
- API testing via Postman
๐ Token Flow:
User logs in โ backend creates personal token โ returns to frontend.
๐ 2. Password Grant Client
โ Purpose:
Used when you want the user to provide email/password via API and obtain an access token programmatically. Often used by mobile apps or single-page apps (SPA).
๐ How it works:
- The client app sends a request to the
/oauth/tokenendpoint:POST /oauth/token Content-Type: application/json { "grant_type": "password", "client_id": "8", "client_secret": "your-password-client-secret", "username": "user@example.com", "password": "secret", "scope": "*" } - If valid, Passport issues an access token.
๐ Use Case:
- Mobile apps logging in users
- SPAs with direct login forms
๐ Token Flow:
Frontend (mobile/web) sends user credentials + client credentials โ gets token from /oauth/token.
โ Summary Table
| Feature | Personal Access Client | Password Grant Client |
|---|---|---|
| Authentication | Server-side only | User credentials via API |
| Use Case | First-party web/mobile | Mobile apps / SPAs |
| Client ID/Secret Needed? | โ No | โ Yes |
| Example Method | $user->createToken() | /oauth/token endpoint with credentials |
| User Interaction | Already logged in via session | Login via email/password in the app |
| Security Consideration | Tokens created securely server-side | Password passed through API (use HTTPS) |
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals