
The backstory on this, I have been working on the instructions from the documentation: https://laravel.com/docs/5.4/passport

I have

  1. Laravel 5.4
  2. "laravel/passport": "^3.0" from composer
  3. Local Mac osx running Mamp pro, Php 7.0.15

I am calling the sample user route in routes/api.php

Route::get('/user', function () {
    return 'testing';

Postman curl Header (pulled from the code export in Postman):

    "accept: application/json",
    "authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImM3ZmI2ZmNmMWFkOGQ0NjFkNTdhMWU2NjFiYjhhOThmOTJhOTBkMDFkNDkwZDFjNDRkNDg5MTdlYjJiZWYyMDlkNjNmOTQwMjIxNTljZWI5In0.eyJhdWQiOiIxIiwianRpIjoiYzdmYjZmY2YxYWQ4ZDQ2MWQ1N2ExZTY2MWJiOGE5OGY5MmE5MGQwMWQ0OTBkMWM0NGQ0ODkxN2ViMmJlZjIwOWQ2M2Y5NDAyMjE1OWNlYjkiLCJpYXQiOjE1MDE3OTQ2NjIsIm5iZiI6MTUwMTc5NDY2MiwiZXhwIjoxNTMzMzMwNjYyLCJzdWIiOiIxIiwic2NvcGVzIjpbImFwaS1hY2Nlc3MiXX0.CPGM4PIKJBeiJvokuDzShz_1CnqHlnFIML-tWoBCn5GcijMXmQkWOHzTI8QwTws2h719TGA4hemXDljjqoZB0LiztAx2JZ3OhjNS-MhrMNujnTJUbvkXAVfcRdybhlDEWof_iboLICQTYNTslX1iw-2DCyFMh8gB4INAKUhpvzA955ALB-ZunKrjSNKdRkgtZRe0t6VyJf9LwzgjIAfSKoi_qRis36KD7hcf0Id_iWZkhvS-ZfuM5eUpzUooUe0rb4rkYYEYndlHlY7-uuZPlzmPMpaJTR4AW1CLkaK5Ic7fde1x1kk2duW_Znd9ki2YBP0kw7ifAmg2DaM5r2-0kEx_1iFuCIxE8QJns1aIm3XjWoOApovt7V6-s3yJZK3xlIDCjFI-C59RHiVSabh-hKdX4elvSL9taSQyuramPZPpsne9SUh4KCWul0iHoNjFdFJEut_TUBWyUPtD3J7gg6P97uRS_THDAUHMo2UYVhlnu9PV8SvbvjGj3OeaaH7ZbzWQCYKbqsLZAZ2mnJlFhTMghbaC2s_MND1zlRm7w9btmihxVW714NUbH8UAwSvrtIYYQ0itevZ59TLiAXprjmjkhiFkrhdX4bUje4uNEbLYawkZI-1o82IExW9D8kCYpOWOZdWTCLgmaE2wXcf-DTCV-9vDWRAdX1YmP4JbRsc",
    "cache-control: no-cache",
    "content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW",
    "postman-token: 2ec7a2c8-3489-812d-4638-ebb7dc62aeb1"

I have 1 personal access token generated using the Vue Components

I have checked that i am setting the token expiration for 1 year and that is reflecting in the db.

My AuthServiceProvider.php


        Passport::tokensExpireIn(Carbon::now()->addYears(20));//You can also use addDays(10)
        Passport::refreshTokensExpireIn(Carbon::now()->addYears(20));//You can also use addDays(10) 
        Passport::pruneRevokedTokens(); //basic garbage collector

            'api-access' => 'Access Complete API',

My RouteServiceProvider.php (mapApiRoutes is called in the map function)

protected function mapApiRoutes()
            'namespace' => $this->namespace,
            'prefix' => 'api',
        ], function ($router) {
            require base_path('routes/api.php');

My Kernel.php route middleware

protected $routeMiddleware = [
    'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
    'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
    'can' => \Illuminate\Auth\Middleware\Authorize::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,


I am using postman to test out my api auth and get a 401 each time I try. I have tried Personal Access Client and Password Grant Client and both have the same issue. After looking at them both I realized that both use Authorization Bearer [token] format.

So I started Logging out in various files in Passport source.

In the TokenGuard.php

public function user(Request $request) {

    Log::info('TokenGuard: '. $request);

    if ($request->bearerToken()) {
        return $this->authenticateViaBearerToken($request);
    } elseif ($request->cookie(Passport::cookie())) {
        return $this->authenticateViaCookie($request);

The Log looks like this:

[2017-08-10 20:50:20] local.INFO: TokenGuard 93: GET /api/user HTTP/1.1
Accept:          application/json
Accept-Encoding: gzip, deflate
Cache-Control:   no-cache
Connection:      keep-alive
Content-Type:    application/json
Host:            url.com:8888
Postman-Token:   66707fe5-8f6e-4920-948b-2804a76d4a65
User-Agent:      PostmanRuntime/6.2.5

The thing missing is the Bearer [token] portion of the request. The TokenGuard code chunk is running an if/else. This is where I think the failure is happening.

Shouldn't it be logging that out too? Since the Bearer Token is missing the If/Else fails and then it makes sense to return a 401.

Why would my Token be stripped out of the request.

How do you get your token in to JavaScript? The token in code sample above seems to be too long are you sure you did not copy-paste encrypted cookie instead?Kyslik
When you create the personal access token the Vue component pops a modal that has the token in it. I copied it and then used it. I have tried this three separate times, to make sure I wasn't screwing that up.TJ Sherrill
Your only option is to debug this yourself, modify relevant files (even core Laravel ones) with \Log::info... statements and see yourself in what point you get stuck. Have fun!Kyslik
@kyslik is there anything in my naming that is an issue? like api vs auth:api or something like that?TJ Sherrill

1 Answers


Add this to your .htaccessfile under public directory of your project:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]