Turn Your Vehicle Into a Smart Earning Asset

While you’re not driving your car or bike, it can still be working for you. MOTOSHARE helps you earn passive income by connecting your vehicle with trusted renters in your city.

🚗 You set the rental price
🔐 Secure bookings with verified renters
📍 Track your vehicle with GPS integration
💰 Start earning within 48 hours

Join as a Partner Today

It’s simple, safe, and rewarding. Your vehicle. Your rules. Your earnings.

Uncategorised

Laravel: oauth_access_tokens clean up process

August 30, 2025 Leave a Comment

using Laravel Passport—the oauth_access_tokens table balloons when tokens aren’t expiring, not being revoked on logout, or not being purged. Here’s a practical, safe cleanup + prevention plan you can apply right now.

1) Inspect what’s growing

-- Table sizes (MB)
SELECT TABLE_NAME, ROUND((DATA_LENGTH+INDEX_LENGTH)/1024/1024,2) AS MB
FROM information_schema.TABLES
WHERE TABLE_SCHEMA = DATABASE()
  AND TABLE_NAME IN ('oauth_access_tokens','oauth_refresh_tokens')
ORDER BY MB DESC;

-- How many active (not revoked) tokens per user
SELECT user_id, COUNT(*) AS tokens
FROM oauth_access_tokens
WHERE revoked = 0
GROUP BY user_id
ORDER BY tokens DESC
LIMIT 20;

-- Expired tokens still present?
SELECT COUNT(*) 
FROM oauth_access_tokens
WHERE expires_at IS NOT NULL AND expires_at < NOW();
Code language: PHP (php)

2) One-time purge (safe cleanup)

Backup first. Then, if you’re on Passport 10+:

php artisan passport:purge --revoked --expired
Code language: CSS (css)

This removes revoked and expired access/refresh tokens.

If you don’t have the purge command, do it manually:

-- Revoke + delete obviously old tokens (example: older than 90 days)
UPDATE oauth_access_tokens SET revoked = 1
WHERE (expires_at IS NOT NULL AND expires_at < NOW()) OR created_at < NOW() - INTERVAL 90 DAY;

-- Clean up refresh tokens linked to revoked access tokens
DELETE rt FROM oauth_refresh_tokens rt
JOIN oauth_access_tokens at ON rt.access_token_id = at.id
WHERE at.revoked = 1;

-- Optionally delete the revoked access tokens themselves
DELETE FROM oauth_access_tokens WHERE revoked = 1;
Code language: JavaScript (javascript)

Then reclaim disk space (if you use file-per-table InnoDB):

OPTIMIZE TABLE oauth_access_tokens;
OPTIMIZE TABLE oauth_refresh_tokens;

3) Fix the root causes

A) Set short, sane expirations

In App\Providers\AuthServiceProvider.php:

use Laravel\Passport\Passport;

public function boot()
{
    $this->registerPolicies();

    Passport::tokensExpireIn(now()->addHours(2));             // access tokens
    Passport::refreshTokensExpireIn(now()->addDays(14));      // refresh tokens
    Passport::personalAccessTokensExpireIn(now()->addMonths(3));
}
Code language: PHP (php)

Deploy, then php artisan config:clear && php artisan cache:clear.

B) Revoke on logout (don’t leave tokens hanging)

If you’re issuing access tokens on login, make sure logout revokes them:

public function logout(Request $request)
{
    $token = $request->user()->token();
    if ($token) {
        $token->revoke();
        // Also revoke its refresh tokens
        \DB::table('oauth_refresh_tokens')
          ->where('access_token_id', $token->id)
          ->update(['revoked' => true]);
    }
    return response()->json(['message' => 'Logged out']);
}
Code language: PHP (php)

If you want to nuke all a user’s tokens on logout:

$request->user()->tokens()->delete();
\DB::table('oauth_refresh_tokens')->whereIn(
  'access_token_id',
  \DB::table('oauth_access_tokens')->where('user_id', $request->user()->id)->pluck('id')
)->delete();
Code language: PHP (php)

C) Don’t issue a new token on every request

Audit your login/auth flow—ensure you only create a token at login (or first app start) and then reuse it. If you’re creating tokens during each API call, that’s the main culprit.

D) Schedule automatic purging

In app/Console/Kernel.php:

protected function schedule(Schedule $schedule)
{
    // Passport 10+:
    $schedule->command('passport:purge --revoked --expired')->dailyAt('02:30');

    // Optional: extra safety—purge very old tokens regardless
    // $schedule->call(fn () => \DB::table('oauth_access_tokens')
    //    ->where('created_at','<',now()->subMonths(6))->delete()
    // )->weeklyOn(1, '03:00');
}
Code language: PHP (php)

Ensure your server cron runs Laravel’s scheduler:

* * * * * cd /path/to/app && php artisan schedule:run >> /dev/null 2>&1
Code language: JavaScript (javascript)

4) If you’re not tied to Passport

For SPAs and first-party mobile apps, consider Laravel Sanctum. It’s lighter (personal_access_tokens), easier to manage, and usually grows less aggressively.

5) Quick “emergency” reduction

If you must free space fast and accept losing old sessions:

-- Delete tokens older than 30 days (adjust to your risk appetite)
DELETE rt FROM oauth_refresh_tokens rt
JOIN oauth_access_tokens at ON rt.access_token_id = at.id
WHERE at.created_at < NOW() - INTERVAL 30 DAY;

DELETE FROM oauth_access_tokens
WHERE created_at < NOW() - INTERVAL 30 DAY;

Then OPTIMIZE TABLE as above.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x