Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

akLearn's avatar

Passport for mobile apps with Secret key confusion

Do you need to use client_secret for mobile apps using passport?

Goal: I'm trying to use Passport to provide tokens for mobile apps.

I went through the Laravel docs on Passport and with Passport password grant you are supposed to send a client_secret. However, on this page (https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/) they are saying "and only issue a secret for “web server” apps". So, is Laravel docs indicating that we should send client secret with mobile apps?

This link is saying that we should not put the secret on the mobile app because tomorrow an update would be required if the secret has been updated for whatever reason. https://stackoverflow.com/questions/50848892/how-to-use-laravel-passport-with-password-grant-tokens

Q2. Am I the only one having trouble finding good documentation/help on this topic?

Someone suggested I should create my own login API and create the tokens with $token = $user->createToken('Token Name')->accessToken;

For the love of God ... please provide any info you have

0 likes
6 replies
martinbean's avatar

@aklearn No, you shouldn’t be passing a secret key in HTTP request. The clue’s in the name: it should be secret. The fact that the password grant requires you to pass the client secret when requesting a token is one of the reasons it‘s flat-out disallowed in the OAuth’s latest security best practice:

The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely.

Instead, use a more appropriate grant type for mobile apps. The Passport docs suggest authorization code grant with PKCE:

The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications or native applications to access your API.

1 like
akLearn's avatar

@martinbean Thanks for pointing out PKCE. I looked at the docs and am not clear on how to use that. Do you have any links that explain this a little further?

Currently have created my own login API which creates the token via $user->createToken('Laravel Password Grant Client')->accessToken;

I get the feeling this isn't the professional/recommended way. Can you please share some information about this?

martinbean's avatar

Currently have created my own login API which creates the token via $user->createToken('Laravel Password Grant Client')->accessToken;

@aklearn So you’re using Passport, but then not using Passport?

Passport is an OAuth server implementation. You request OAuth tokens from the /oauth/token endpoint Passport registers. You don’t build your own controllers that then just manually creates and returns tokens, otherwise you may as well not use Passport.

1 like
akLearn's avatar

Thanks... I went through that tutorial. It's about setting up an Oauth2 server. It doesn't talk about providing tokens from Passport.

@jlrdw & @martinbean Thanks for sharing what you know. I've noticed you guys are always reaching out to help people on this forum.

1 like

Please or to participate in this conversation.