Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Presmelito's avatar

Laravel Passport Token Scope

Is there a way to change scope of a generated password grant token

Password grant token generated:

Http::asForm()->post(env('PASSPORT_ISSUE_TOKEN_URL'), [
                'grant_type' => 'password',
                'client_id' => env('PASSPORT.PASSWORD_GRANT_CLIENT_ID'),
                'client_secret' => config('PASSPORT.PASSWORD_GRANT_CLIENT_SECRET'),
                'username' => $request->input('email'),
                'password' => $request->input('password'),
                'scope' => 'view-post'
            ])

I want to change the scope after a user do some action

0 likes
7 replies
willvincent's avatar

I'm pretty certain the answer is no, that scope is baked into the token, and to change it/set a new scope you'd need to generate a fresh token with the new scope.

1 like
martinbean's avatar

@presmelito No. And you shouldn’t really be using password grant clients, and you definitely shouldn’t be using the env helper in code

1 like
Presmelito's avatar

@martinbean Why we should not use password grant could you explain further? Thanks for pointing that env stuff.

Presmelito's avatar

@martinbean @willvincent Thank you for responding

This is what I did when the user hit the endpoint where I want to alter their token scope

$token = Auth::user()->token();
$token->scopes = ['view-post','write-post']
$token->save();

Is this a bad idea? if so why?

martinbean's avatar

@presmelito Yes, it’s a bad idea. You should be issuing new tokens with the new scopes; not trying to modify already-issued tokens.

Revoke the old token, and issue a new token with the desired scopes.

2 likes

Please or to participate in this conversation.