Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello!
Thank you to the community for your continued support!
I am working on implementing API keys using Passport.
For now, the key will be consumed by a small app within my own front-end (for validating a user is logged in / can access the content). I am using Passport as it leaves room for expansion in the future.
When a user logs in, I issue them a new token using the authenticated function in the LoginController which, as we know, automatically gets fired after a user successfully logs in. (This works).
class LoginController .... {
use AuthenticateUsers;
protected function authenticated(Request $request, $user)
{
$token = $user->createToken('userToken'.$user->id)->accessToken;
//more code
}
When the user logs out, I want to revoke this access token.
I can see that I can override the method ::loggedOut($request), however I can't access the user details in this method as the user has been logged out, therefore $request->user() is null!
As with most problems I come across in Laravel - there is probably a simple solution that I don't know about yet! Does anyone have any ideas?
At the moment, the only solution I have thought of is creating a new logout method in the LoginController which deletes the token and then delegates to the logout() method in the Authenticable trait of the Login controller.
class LoginController ....... {
use AuthenticateUsers;
public function deleteTokenThenLogout(Request $request)
{
//Delete Token here
//Delegate to the actual default logout method in the AuthenticateUsers trait
return $this->logout($request);
}
Although at first glance, this seems sensible. It's actually really messy, because in order to declare a logout route which points to this method in the controller. I would have to delete Auth::routes from my routes file, and therefore manually declare all the other authentication routes, individually. (On reflection it would be nice if the Auth::routes() helper had an 'except' option!)
Does anybody have any advice on how to cleanly delete the token on logout please?
Am I even going around using Passport / API keys in the right manner?
You could try hooking into the logout event Illuminate\Auth\Events\Logout. Theres a bit of an example here
The logout event has a user property so you can get access to this in your listener with $event->user (based on linked example) so you can revoke the tokens.
@d9705996 thanks for your response. Out of Internet am I going about providing an api key to access my api end points in a sensible / reasonable manner?
Passport is very versatile so there are many ways to handle token based authentication. From your code I assume you using personal access tokens. If this is appropriate really depends on what your doing from frontend to backend. Access tokens tend to compliment traditional authentication rather than replace it. E.g. user logs in, generates an access token that they can then use for 3rd parties to query the API which dont get removed unless the token is compromised then its revoked manually and a new one reissued(see Gitlab docs for a good example of PATs).
However your workflow sounds like your using this as a primary authentication method.
If so you probably want to look at password grant instead.
You can just do something like this right?
public function logout(Request $request)
{
$user = $request->user();
foreach ($user->tokens as $token) {
$token->revoke();
}
Auth::logout();
}
@d9705996 Thank you for that. Sounds like password grant is more like what I need (which is a key only valid whilst the user is logged in on the Laravel part of the app).
@bobbybouwmann That's essentially what I ended up doing. Re declaring the logout method in the controller. I wasn't too comfortable overwriting the default logout method though
It is worth considering how either of the logout methods myself and @bobbybouwmann mentioned are invoked. AFAIK it's when the user hits the logout route only.
How do you handle token revelation if the user doesn't logout but times out.
The password grant helps here as tokens are time limited
@d9705996 This was worrying me too. By default the tokens are long life (something silly like 100 years). Overriding the default token settings doesn't seem to change it either which was odd - also it seemed a bit poor practice to set a short token life (for example, if I later use access tokens for a mobile app).
I'm still looking into how I can generate a password grant via the login method (I think I just make a post request to the controller which issues them) More confusingly, is how I can pass that token to for the js app to use on it's access requests. (I don't think password grants are automatically passed into axios requests them the same way bearer tokens are).
I find it hard to believe I'm the only Laravel user who has faced this issue, so there must be something I have missed!
Please or to participate in this conversation.