How to verify a token with Laravel Passport?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company
# How to Verify a Token with Laravel Passport: Cross-Service Validation As developers building modern APIs, secure token management is paramount. When you utilize Laravel Passport to issue access tokens, the question naturally arises: how can an external service or a separate microservice reliably verify if an incoming Bearer token is valid, active, and authorized? This guide addresses the scenario where your API resides in one Laravel project, and you need another service (perhaps a gateway or another application) to validate the token without implementing full authentication middleware on every endpoint. ## The Challenge: Token Verification Across Services You are issuing tokens correctly using Laravel Passport, but now you need an external system to act as the gatekeeper. You want your external API to call the Laravel Passport server (or a similar introspection point) to confirm the token’s validity before processing any request. Simply checking the JWT signature locally is insufficient if that token was issued by a different Passport instance or requires specific scope checks validated centrally. The core problem is bridging the gap between two separate applications securely and efficiently. ## The Solution: Leveraging Token Introspection The most robust way to verify an access token externally is through **Token Introspection**. Instead of trying to re-implement the entire authentication flow on the external service, you leverage Passport’s built-in mechanism designed specifically for this purpose. Laravel Passport provides endpoints that allow services to ask the authorization server (your Passport application) if a given token is currently valid and what scopes it possesses. This shifts the responsibility of *validation* back to the source of truth—the Passport authority. ### Step 1: Ensure Passport is Configured for Introspection For external services to query your tokens, you must ensure that your Laravel Passport setup allows these requests. Typically, this involves securing the introspection endpoint (often `/oauth/token` or a dedicated introspection route) with appropriate API keys or client credentials if the service is external. When setting up token issuance in Laravel, remember that Passport handles the complexities of JWT signing and encryption; now you need to focus on how other services can query those claims. ### Step 2: Implementing the Verification Call (The External Service Side) Your external API will receive the Bearer token and must make an HTTP request to your Laravel Passport server. **Example Flow:** 1. Client sends `Authorization: Bearer ` to your external API. 2. The external API extracts the ``. 3. The external API calls a specific endpoint on the Laravel Passport server (e.g., `/oauth/token/introspect`) passing the token. 4. The Passport server validates the token against its database and returns a JSON response indicating if the token is active, its user ID, and scopes. This pattern ensures that your external API remains lightweight while delegating the heavy lifting of security validation to the dedicated authentication service. This separation of concerns keeps your services decoupled and adheres to good architectural practices, much like the principles advocated by the Laravel ecosystem regarding clean architecture. ### Step 3: Handling the Response If the introspection call returns a success status (e.g., `active: true`), you can then proceed with processing the request or accessing the protected resource. If it fails, the external service must immediately reject the request with an appropriate error (e.g., 401 Unauthorized). ## Best Practices for Security When implementing this cross-service validation, keep these security points in mind: 1. **HTTPS is Mandatory:** All communication between your external API and the Passport server *must* occur over HTTPS to prevent token interception. 2. **API Keys for Introspection:** Do not expose the introspection endpoint publicly without protection. Use client credentials or API keys to ensure only authorized services can request token validation. 3. **Minimize Data Exposure:** The introspection response should only return the necessary validation information (e.g., validity status, user ID) and nothing more sensitive than required by the calling service. By utilizing Laravel Passport’s introspection capabilities, you establish a scalable and secure mechanism for verifying tokens across disparate services, ensuring that your API remains highly secure and maintainable.