Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
i am using password grant type. i need to manually revoke access to the user when they use logout. i can get used token using $request->bearerToken() . but this is different from the id field in the database, how can can i revoke access using this value.
Finally i found a method. I don't know if this is the correct method
use Lcobucci\JWT\Parser;
$value = $request->bearerToken();
$id= (new Parser())->parse($value)->getHeader('jti');
$token= $request->user()->tokens->find($token);
$token->revoke();
Just solved this with a coworker
$request->user()->token()->revoke()
assuming the current route is using the auth:api middleware
Auth::user()->token()->revoke();
If you want to delete the token from the database use this
$request->user()->token()->revoke();
$request->user()->token()->delete();
Solution works with Laravel 5.6.*
use Lcobucci\JWT\Parser;
$value = $request->bearerToken();
$id = (new Parser())->parse($value)->getHeader('jti');
DB::table('oauth_access_tokens')
->where('id', $id)
->update([
'revoked' => true
]);
Thanks for stating clearly that the route has to be using the auth:api middleware.
In your AccessTokenCreated event listener
/**
* Handle the event.
*
* @param AccessTokenCreated $event
* @return void
*/
public function handle(AccessTokenCreated $event)
{
Token::where('user_id', $event->userId)
->where('id', '<>', $event->tokenId)
->update(['revoked' => true]);
}
It will revoke all the access token created before except the one just created. Don't forget to import the token model
use Laravel\Passport\Token;
Which is the best approach? Revoke or delete a token as the user logs out?
This should be the best solution -
$request->user()->token()->revoke();
for auth:api middleware
Please or to participate in this conversation.