Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

rvanbaalen's avatar

Changing compromised public/private keys of Laravel Passport

Not sure if I'm in the correct corner of the forum for this question so please let me know if this is not the right place.

I need to change the public and private key combo of my Laravel Passport installation. What consequences does this bring for my production environment, if any? Or can I freely define a new set and everything should still be working?

They're currently stored in the .env.

Please advise, :-) thanks in advance.

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Changing the public and private keys used by Laravel Passport is a significant action that can have implications for your application, especially in a production environment. Here's a step-by-step guide on how to safely change these keys and what you might expect in terms of consequences.

Step 1: Generate New Keys

First, you need to generate a new set of keys. You can do this using the Laravel Passport command:

php artisan passport:keys

This command will generate new keys and store them in the storage directory by default. Ensure that your .env file or any other configuration settings point to the correct location of these new keys.

Step 2: Update Environment Configuration

If you have specified the key paths in your .env file or elsewhere in your configuration, update these paths to match the new key locations. Typically, the keys are stored in the storage folder and not directly referenced in the .env file, but this setup can vary based on custom configurations.

Step 3: Consider Access Tokens

When you change your keys, all existing access tokens will become invalid. This is because the tokens are signed with the old private key, and with the key change, the signature verification will fail. Here’s how you can handle this:

  • Revoke Existing Tokens: You can revoke all existing tokens using the following command:

    php artisan passport:purge

    This will force all users to re-authenticate, receiving new tokens signed with the new keys.

  • Communicate with Your Users: Inform your users about the re-authentication requirement. This can be critical for maintaining a good user experience and avoiding confusion.

Step 4: Test the Changes

Before deploying these changes to your production environment, thoroughly test them in a development or staging environment. Verify that:

  • New tokens are issued correctly.
  • The authentication flow works as expected.
  • There are no disruptions in user sessions beyond the initial re-authentication.

Step 5: Deploy to Production

Once you have tested the changes and are satisfied with the outcome in your testing environment, you can deploy the changes to production. Remember to monitor the application closely for any issues that might arise post-deployment.

Conclusion

Changing the keys used by Laravel Passport is a straightforward process, but it requires careful handling to ensure a smooth transition and minimal user disruption. Always test changes in a safe environment before applying them to your production system.

1 like

Please or to participate in this conversation.