Laravel passport issue tokens for first party apps outside of Laravel routes.

Laravel passport issue tokens for first party apps outside of Laravel routes.

Laravel Passport is a powerful authentication system for building APIs in Laravel. By default, it issues access tokens and refresh tokens when an API client makes an authenticated request through Laravel routes. However, there might be scenarios where you want to issue tokens for first-party apps that are not making requests through Laravel routes. In this answer, we will discuss how to issue tokens for first-party apps outside of Laravel routes using Laravel Passport.

First, let's understand the concept of first-party apps. A first-party app is an application that is under the same domain and control as the Laravel application. For example, if you have a Laravel application running on example.com, then a first-party app could be a JavaScript frontend running on app.example.com.

To issue tokens for first-party apps outside of Laravel routes, we need to use the Laravel Passport personal access tokens. Personal access tokens are long-lived tokens that can be used to authenticate API requests from a specific client. Unlike OAuth tokens, personal access tokens do not require an external authorization grant.

Here are the steps to issue personal access tokens for first-party apps:

1. Create a new user or use an existing user for the first-party app. This user will be used to generate the personal access token.

// Create a new user
$user = App\User::create([
    'name' => 'First Party App',
    'email' => '[email protected]',
    'password' => Hash::make('secret'),
]);

2. Generate a new personal access token for the user. You can generate a token using the make: Artisan command or the createToken() method.

// Generate a new token using Artisan command
php artisan make:auth-token app --personal

// Generate a new token using User model method
$token = $user->createToken('App Token');

3. Share the token with the first-party app. You can share the token in various ways, such as storing it in an environment variable, sending it via email, or storing it in a database.

4. Use the token to authenticate API requests from the first-party app. The first-party app can include the token in the Authorization header of the API request using the Bearer scheme.

// Make an authenticated API request using the token
fetch('https://example.com/api/protected-route', {
    headers: {
        'Authorization': 'Bearer ' + token,
    },
})
.then(response => response.json())
.then(data => console.log(data));

5. Revoke the token when it is no longer needed. You can revoke the token using the revokeToken() method.

// Revoke the token
$token->revoke();

By following these steps, you can issue personal access tokens for first-party apps outside of Laravel routes using Laravel Passport. This approach provides a secure way to authenticate API requests from first-party apps without the need for external authorization grants.