Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
The laravel passport documentation say that you make routes require oauth authentication using auth:api like so
Route::get('/user', function () { // })->middleware('auth:api');
it also says that to authenticate a scopre you use scope:scope_name like so
Route::get('/orders', function () { // Access token has both "check-status" and "place-orders" scopes... })->middleware('scopes:check-status,place-orders');
If using scope do you need to use both or just the scope one ie do you need
middleware('auth:api'); or middleware(['auth:api','scopes:check-status,place-orders']);
You need both as far as I know! Both middleware do different things. The auth one makes sure you're authenticated, but the scopes are there for authorization! Two complete different things. You can go through the scopes even if you're not a logged in user based on a session or other token in the url for example.
Normally you would have a route group with the auth middleware and in there a new route group for all the scope routes or per route a defined scope ;)
Please or to participate in this conversation.