Laravel Passport Scopes

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
Title: Managing User Roles and Scopes in Laravel Applications Introduction: In today's digital world, managing user roles and permissions is of utmost importance to maintain the security and functionality of your web applications. Laravel provides a powerful tool called Passport to securely manage API access using JSON Web Tokens (JWT). This post focuses on utilizing Passport to implement different user scopes while answering common questions. 1. Understanding Scopes and Roles in Laravel: Before we delve into the implementation, let's clarify the terms 'scopes' and 'roles'. In a database context, scopes are essentially customized filters that you can apply to your models. They offer an alternative method to querying the database based on specific conditions. On the other hand, roles represent specific tasks or privileges assigned to a user for different functionalities within the application. 2. Implementing User Permissions: To manage user permissions using Passport, follow these steps: - Create separate 'user', 'customer', and 'admin' model roles in your database (you can define them as separate columns or tables). - Include migration files for creating all the required tables and fields. - Generate a JWT access token with the desired scope on user authentication, such as:
    Passport::tokensCan([
        'user' => 'User',
        'customer' => 'Customer',
        'admin' => 'Admin',
      ]);
- On your Laravel API routes, you can protect specific route groups based on the scope of the access token:
Route::group(['middleware' => 'auth:api'], function () {
    Route::get('/test', function (Request $request) {
        // Check if user has required scope
        
        if ($request->user()->hasScope('admin')) {
            return response()->json([
                'data' => 'Admin content',
            ]);
        } elseif ($request->user()->hasScope('customer')) {
            return response()->json([
                'data' => 'Customer content',
            ]);
        } else {
            return response()->json([
                'error' => 'Unauthorized',
            ], 401);
        }
    });
});
- If a user needs multiple scopes simultaneously, you can merge the scopes in your Passport configuration:
Passport::tokensCan([
    'user' => ['User', 'Customer'],
    'admin' => 'Admin',
]);
- Finally, when authenticating a user, you can assign the appropriate scopes to the generated access token. 3. Managing User Scopes: To change a user's scope or roles, you may use a UserScopes model with these attributes: user_id, role (with enum values 'user', 'customer', and 'admin'), and active boolean. You could create a method to assign new scopes to the desired user:
    public function assignUserScope($userId, $scope) {
        // Check if scope already exists for the user
        
        // If it doesn't exist, add the new scope
        if ($this->where([
            'user_id' => $userId,
            'role' => $scope
        ])->count() < 1) {
            
            // Assign the new scope to the user
            $this->create([
                'user_id' => $userId,
                'active' => true,
                'role' => $scope,
            ]);
        } else {
            // If already exists, update the active value
            $this->where('user_id', $userId)->update([
                'active' => true,
            ]);
        }
    }
4. Conclusion: Effectively managing user scopes and roles in your Laravel application can help maintain the security of sensitive data within your system. This comprehensive implementation enables you to assign various roles and scopes to users based on their needs, ensuring that only authorized users can access specific functionalities. By incorporating Passport into your API authentication process, you'll have a robust solution for user permissions management in your Laravel application.