Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
When I generate the access token through a login, I assign an expiration period (Short of 10 minutes) but later when those 10 minutes have passed the token is still valid (At least in my case).
Is this normal? Shouldn't I receive an authentication error? Or do I have to do it manually in each method (API path)?
I have this code in AuthServiceProvider
public function boot() {
$this->registerPolicies();
Passport::routes();
Passport::tokensExpireIn(Carbon::now()->addMinutes(10));
}
I believe that is expected behaviour.
https://laravel.com/docs/5.7/passport#personal-access-tokens
"Personal access tokens are always long-lived. Their lifetime is not modified when using the tokensExpireIn or refreshTokensExpireIn methods."
Potential solution here: https://stackoverflow.com/a/54519416 - I have not tried it myself though, sorry.
Please set your expiration time in jwt.php file in ttl variable.
'ttl' => 60,
I am developing a mobile application. I get the data through an API (Laravel). So before accessing these I need to Authenticate. Is the Personal Access Token the same as the Password Grant Tokens? As I read Password Grant Tokens does not need authentication in the API, would this not create a security breach? It's my first API in Laravel I'm still learning .. sorry
Very thanks! @M
Where is the file jwt.php?
Thanks!
jwt.php in config folder
You have to use this method : personalAccessTokensExpireIn()
For example : Passport::personalAccessTokensExpireIn(now()->addMonths(2));
You can check in the database after the token in created. In the oauth_access_tokens table, you can find your token through the time you created at and the expires_at time will be as per you defined.
Although the personal access tokens has a different table and the access token we create while login is stored in different table (oauth_access_tokens), it works like this as of laravel 10.
Please or to participate in this conversation.