Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

hennawy's avatar

Passport Clients

I have a Laravel app and i use passport for authentication for the app users to generate tokens for them to access the APIs (All the system is APIs. even the frontend which is an external app uses APIs not blades).

Now an external system will integrate with my system and i should create a token for them to be able to consume my APIs.

I have read a lot of articles but still i can't understand the whole cycle. Should i give them a regular token like my app users ? Or should i use the client id and client secret ? (which still i can't understand how to achieve this using APIs).

I hope anyone can help me figure it out. Thanks

0 likes
5 replies
RamjithAp's avatar

You two options.

  1. Allow the external system to login into your app and give them the option to create an access token for them on their account.
  2. The external system can create access token using the passport endpoint like below
$http = new GuzzleHttp\Client;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => '[email protected]',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

Read this more info https://laravel.com/docs/5.4/passport#password-grant-tokens

hennawy's avatar

just to be clear, if i choose option 2

This means i will create an API in my system lets say called (get_token), then the other system will call this API to get his Token is that what you mean ?

Route::get('get_token', function(){ $http = new GuzzleHttp\Client;

$response = $http->post('http://my-domain/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => '6',
        'client_secret' => 'plNSvJpcieH8kwccJYNlTU9r4LzlliZNRk7OU5Ly',
        'username' => '[email protected]',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

});

If this is right then when i tried to call the API from postman i get this error

Server error: POST http://my-domain/oauth/token resulted in a 500 Internal Server Error response:\n<!--\n\n\nUnexpectedValueException: The stream or file "/var/www/html/.../storage/logs/larav (truncated...)

RamjithAp's avatar
RamjithAp
5 years ago
Best Answer
Level 10

Your route will be

Route::post('get_token', function(Request $request){ 

$http = new GuzzleHttp\Client;

$response = $http->post('http://my-domain/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'take_from_passport_table',
        'client_secret' => 'take_from_passport_table',
        'username' =>$request->email,
        'password' => $request->password,
        'scope' => '*',
    ],
]);

return json_decode((string) $response->getBody(), true);
});
  1. Send postman POST request to http://my-domain/get_token with the parameters email & password.
  2. Based on the error you posted above your storage/log/laravel.log file if not writtable so fix it as well.
1 like
hennawy's avatar

Thank you, it worked :D Just one last thing can i try this on localhost ? because when i replace my-domain with "localhost:8000" postman keeps trying to send the request and i don't receive a response.

And if i use client_credentials instead of password grant type, which middleware should i use to secure the APIs. ?

alazark's avatar

@hennawy you may add the Laravel\Passport\Http\Middleware\CheckClientCredentials in Kernel.php file inside the http directory under the $routeMiddleware array and alias it as client or what is convenient for you.

Please or to participate in this conversation.