Laravel Passport userspecific scopes.

So today I started digging into Laravel Passport and so far so good, but for my use case I want a 3rd party developer to create an account and after that he/she can create Peronal Access Token with specific scopes.

I can imagine that it is usefull for a developer to create a read only token to use in one place, and a place orders or delete items token in another place. However we as the owner/1st party have specific scopes as well that may only be assigned to us and no other developer may every get permission for these scopes.

So I went and created a scopes and a scopes_users table defining which scopes should be visible at all to a specific user, so far so good.

But the documentation specifies that the following should go in the AuthServiceProvider

Passport::tokensCan([
    'list-brands' => 'List all brands',
    'delete-orders-of-other-users' => 'Delete orders of others',
]);

But in the AuthServiceProvider I have no authenticated user ofcourse, what would be an appropriate place to put the following;

Passport::tokensCan(
    auth()->user()->scopes->pluck('name','handle')->toArray()
);

I have placed in the routes file as a quick test, and it works, but ofcourse it doesn't belong there.

With this code when a users requests his scopes which he may or may not set when creating a Personal Access Token it will be limited to the scopes that we as the 1st party have allowed in the first place. And this an approach like this even ok? Or will I get in trouble with this approach?

Or I could just override the default tokensCan method and create my own database implementation?

I am a Laravel Passport virgin so I am curious if anyone has ever been in the same situation and some tips regarding my usecase would be very helpfull and appreciated!