Laravel & Passport = Frustration and 401

Published 10 months ago by BN

I've spent days trying to configure Laravel/Passport and get nothing but 401 unauthenticated error codes.

Is this just a buggy part of the code and I should just spin my own JWT? I've seen a lot of errors and writings in this section and I'm tired of trying to figure this out.

Mindspace does a great tutorial on Laravel and setting up JWT on Youtube. He purposefully says he didn't use Passport, and I think he did that because the code isn't good. He didn't throw Laravel under the bus, but I will after days trying to configure it.

Any suggestions?




Your question is incomplete. When are you getting a 401? Seeing you're passing judgement on code, I'll assume you have created your cors middleware.

Passport is intended for authorizing applications and oauth for users. Jwt is something different.

Jwt is typically used for a JavaScript front end from a known site and using laravel for API to manage user authentication as collies etc won't work.

Passport is bigger. It's used to authenticate the requesting app, typically sever to server and having user authentication for many apps (one login, like Facebook social login).

You can use it for frontend too, but might be overkill. If you're consuming the API on your, and only your, frontend jwt and cors are fine.

Before you attempt to state that some code is bad because you can't figure it out, yet obviously don't understand what it's used/intended for, might want to get knowledge before passing judgement.


It's noted frequently on these board that the code is buggy, the code isn't apparently implemented much as the bugs listed here are show stoppers in many respects.

The only conclusion I'm drawing is that I've followed the instructions and docs to the letter and nothing works.

So I continue to ask the this code implementable....or too many bugs in it for production?

Is anybody using it in production environment?

While it may be overkill, it apparently should be able to work with a restful API.


I have three apps that utilize it in production plus spark uses it too. Never an issue yet. One app has over one million requests an hour.


I've got some problems on my end I suppose then...

I've ensured that this isn't a problem:

I've created a oauth_access_token in my DB using

$token = $user->createToken('Token Name')->accessToken;

Then I'm using Postman to submit an API request:

Using: Authorization= "Bearer token" && Accept="application/json"

Every time I submit a request I get a 401.

My route is:

Route::get('/user/{user}', function (App\user $user) { return $user->email; })->middleware('auth:api');

I've also :


And updated AuthServiceProvider:





Using post man you need three headers:

Application application/json

Accept application/json

Authorization Bearer token

Make sure there is a space between Bearer and the token.

The token is a huge string. Almost like an ssh key in length, not the tokens name.


I wrote huge reply and got timed out and lost it....more frustration.


Thank you for suggestions...

I am using the three headers now as you suggest and it still is not working.

I am using the oauth_personal_token/id column from the DB...I assume that this is the token that is being generated. Why isn't the column titled token instead of ID? Anyway, when I submit this token in Postman I get a 401 unauthenticated.

Also, when I login via the default login blade, it creates a remember_token in the Users DB table. This token also creates a 401 error.

Both tokens that are getting created are having 401 error code.


Also, previously you mention CORS....but I am not using CORS at this point as I'm only submitting POSTMAN and not consuming API from another domain yet.

Do I need to implement CORS at this point? Also, is there a package that you've used for CORS, or did you write your own?


I did create a simple CORS at this point, and registered it as a middleware in the middleware class in the kernel.php file. It did not solve the issue.


when re-reading your comment above...

"The token is a huge string. Almost like an ssh key in length, not the tokens name."

I'm confident that I'm not using the right token....


This is coming from the field {id} from the oauth_access_token field in my DB

I modified it by adding about 5 random characters....but as you see it's nowhere near the length of an SSH key.

What am I doing wrong?


ping @jekinney


Only thing I can suggest is give this a listen too.

Tayler himself did the screen cast. Still relevant.

This thread shows what the token should look like:


Thanks! @jekinney

I used the following to diagnose my mistakes and misunderstandings....

1.) I was successfully creating a token with the following code placed in src/illuminate/Foundation/Auth/AuthenticatesUsers/Authenticated

So After the user is logged in I am creating a token.

$token = $user->createToken('Token Name')->accessToken;


....also have to add facade

use Log;

2.) Upon login the table oauth_access_tokens is creating a record with a field "ID". I mistakenly thought the ID field was the token....IT IS NOT THE TOKEN.

3.) I logged the token to the error log. Then I took the token from the error log and plugged it into worked.

JeKinney...the man...thanks!

Followup question. Why isn't the token stored in one of the 6 tables that passport creates when I installed it and then ran the migrations? Do I need to manually store the token into the user field...???

OH...As I write out my thoughts...I think that the key and secret are encrypting and decrypting the ID field that is stored with the oauth_access_token table....Is that what is happening?

I am going to write my frontend app in React JS...So react will just need to store a cookie or something on the client to continually send over the token for that correct?



Not sure if it is relevant for your problem, but I've had some trouble with API-related functions on my local machine because I had a version of curl that was faulty and would not work with the particular API I was trying to use. Guzzle was using that version behind the scenes and when I moved it to my production server, which had a different version of curl, it worked.

Please sign in or create an account to participate in this conversation.