{"id":51958,"date":"2025-08-30T12:31:18","date_gmt":"2025-08-30T12:31:18","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=51958"},"modified":"2025-08-30T12:31:18","modified_gmt":"2025-08-30T12:31:18","slug":"laravel-oauth_access_tokens-clean-up-process","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/laravel-oauth_access_tokens-clean-up-process\/","title":{"rendered":"Laravel: oauth_access_tokens clean up process"},"content":{"rendered":"\n

using Laravel Passport\u2014the oauth_access_tokens<\/code> table balloons when tokens aren\u2019t expiring, not being revoked on logout, or not being purged. Here\u2019s a practical, safe cleanup + prevention plan you can apply right now.<\/p>\n\n\n\n

1) Inspect what\u2019s growing<\/h1>\n\n\n
-- Table sizes (MB)\nSELECT TABLE_NAME, ROUND((DATA_LENGTH+INDEX_LENGTH)\/1024<\/span>\/1024<\/span>,2<\/span>) AS<\/span> MB\nFROM information_schema.TABLES\nWHERE TABLE_SCHEMA = DATABASE()\n  AND<\/span> TABLE_NAME IN ('oauth_access_tokens'<\/span>,'oauth_refresh_tokens'<\/span>)\nORDER BY MB DESC;\n\n-- How many active (not revoked) tokens per user\nSELECT user_id, COUNT(*) AS<\/span> tokens\nFROM oauth_access_tokens\nWHERE revoked = 0<\/span>\nGROUP BY user_id\nORDER BY tokens DESC\nLIMIT 20<\/span>;\n\n-- Expired tokens still present?\nSELECT COUNT(*) \nFROM oauth_access_tokens\nWHERE expires_at IS NOT NULL<\/span> AND<\/span> expires_at < NOW();\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
2) One-time purge (safe cleanup)<\/h1>\n\n\n\n
Backup first.<\/strong> Then, if you\u2019re on Passport 10+:<\/p>\n\n\n
php<\/span> artisan<\/span> passport<\/span>:purge<\/span> --revoked<\/span> --expired<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
This removes revoked and expired access\/refresh tokens.<\/p>\n\n\n\n
If you don\u2019t have the purge command, do it manually:<\/p>\n\n\n
-- Revoke + delete<\/span> obviously old tokens (example: older than 90<\/span> days)\nUPDATE oauth_access_tokens SET revoked = 1<\/span>\nWHERE (expires_at IS NOT NULL AND expires_at < NOW()) OR created_at < NOW() - INTERVAL 90<\/span> DAY;\n\n-- Clean up refresh tokens linked to revoked access tokens\nDELETE rt FROM oauth_refresh_tokens rt\nJOIN oauth_access_tokens at ON rt.access_token_id = at.id\nWHERE at.revoked = 1<\/span>;\n\n-- Optionally delete<\/span> the revoked access tokens themselves\nDELETE FROM oauth_access_tokens WHERE revoked = 1<\/span>;\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
Then reclaim disk space (if you use file-per-table InnoDB):<\/p>\n\n\n
OPTIMIZE TABLE oauth_access_tokens;\nOPTIMIZE TABLE oauth_refresh_tokens;\n<\/code><\/span><\/pre>\n\n\n
3) Fix the root causes<\/h1>\n\n\n\n
A) Set short, sane expirations<\/h3>\n\n\n\n
In App\\Providers\\AuthServiceProvider.php<\/code>:<\/p>\n\n\n
use<\/span> Laravel<\/span>\\Passport<\/span>\\Passport<\/span>;\n\npublic<\/span> function<\/span> boot<\/span>()<\/span>\n<\/span>{\n    $this<\/span>->registerPolicies();\n\n    Passport::tokensExpireIn(now()->addHours(2<\/span>));             \/\/ access tokens<\/span>\n    Passport::refreshTokensExpireIn(now()->addDays(14<\/span>));      \/\/ refresh tokens<\/span>\n    Passport::personalAccessTokensExpireIn(now()->addMonths(3<\/span>));\n}\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Deploy, then php artisan config:clear && php artisan cache:clear<\/code>.<\/p>\n\n\n\n
B) Revoke on logout (don\u2019t leave tokens hanging)<\/h3>\n\n\n\n
If you\u2019re issuing access tokens on login, make sure logout revokes them:<\/p>\n\n\n
public<\/span> function<\/span> logout<\/span>(Request $request)<\/span>\n<\/span>{\n    $token = $request->user()->token();\n    if<\/span> ($token) {\n        $token->revoke();\n        \/\/ Also revoke its refresh tokens<\/span>\n        \\DB::table('oauth_refresh_tokens'<\/span>)\n          ->where('access_token_id'<\/span>, $token->id)\n          ->update(['revoked'<\/span> => true<\/span>]);\n    }\n    return<\/span> response()->json(['message'<\/span> => 'Logged out'<\/span>]);\n}\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
If you want to nuke all<\/strong> a user\u2019s tokens on logout:<\/p>\n\n\n
$request->user()->tokens()->delete();\n\\DB::table('oauth_refresh_tokens'<\/span>)->whereIn(\n  'access_token_id'<\/span>,\n  \\DB::table('oauth_access_tokens'<\/span>)->where('user_id'<\/span>, $request->user()->id)->pluck('id'<\/span>)\n)->delete();\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
C) Don\u2019t issue a new token on every request<\/h3>\n\n\n\n
Audit your login\/auth flow\u2014ensure you only<\/strong> create a token at login (or first app start) and then reuse it. If you\u2019re creating tokens during each API call, that\u2019s the main culprit.<\/p>\n\n\n\n
D) Schedule automatic purging<\/h3>\n\n\n\n
In app\/Console\/Kernel.php<\/code>:<\/p>\n\n\n
protected<\/span> function<\/span> schedule<\/span>(Schedule $schedule)<\/span>\n<\/span>{\n    \/\/ Passport 10+:<\/span>\n    $schedule->command('passport:purge --revoked --expired'<\/span>)->dailyAt('02:30'<\/span>);\n\n    \/\/ Optional: extra safety\u2014purge very old tokens regardless<\/span>\n    \/\/ $schedule->call(fn () => \\DB::table('oauth_access_tokens')<\/span>\n    \/\/    ->where('created_at','<',now()->subMonths(6))->delete()<\/span>\n    \/\/ )->weeklyOn(1, '03:00');<\/span>\n}\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Ensure your server cron runs Laravel\u2019s scheduler:<\/p>\n\n\n
* * * * * cd \/path\/to\/app && php artisan schedule:run >> \/dev\/<\/span>null<\/span> 2<\/span>>&1<\/span>\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
4) If you\u2019re not tied to Passport<\/h1>\n\n\n\n
For SPAs and first-party mobile apps, consider Laravel Sanctum<\/strong>. It\u2019s lighter (personal_access_tokens<\/code>), easier to manage, and usually grows less aggressively.<\/p>\n\n\n\n
5) Quick \u201cemergency\u201d reduction<\/h1>\n\n\n\n
If you must free space fast and accept losing old sessions:<\/p>\n\n\n
-- Delete tokens older than 30 days (adjust to your risk appetite)\nDELETE rt FROM oauth_refresh_tokens rt\nJOIN oauth_access_tokens at ON rt.access_token_id = at.id\nWHERE at.created_at < NOW() - INTERVAL 30 DAY;\n\nDELETE FROM oauth_access_tokens\nWHERE created_at < NOW() - INTERVAL 30 DAY;\n<\/code><\/span><\/pre>\n\n\n
Then OPTIMIZE TABLE<\/code> as above.<\/p>\n\n\n\n
\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
using Laravel Passport\u2014the oauth_access_tokens table balloons when tokens aren\u2019t expiring, not being revoked on logout, or not being purged. Here\u2019s a practical, safe cleanup + prevention plan you can apply… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-51958","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/51958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=51958"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/51958\/revisions"}],"predecessor-version":[{"id":51959,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/51958\/revisions\/51959"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=51958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=51958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=51958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}