how to check if user is authenticated with passport (get user from token using laravel-passport)
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
How to Check If a User is Authenticated with Passport (Get User from Token)
As developers working with token-based authentication systems like Laravel Passport, a common challenge arises when designing API controllers: how do you safely retrieve user data based on an incoming request without relying solely on middleware that might stop execution?
In this post, we will explore the most idiomatic and robust ways to check for user authentication within your Laravel controller methods, specifically leveraging the information provided by Passport tokens. We’ll look at why manual token parsing is often unnecessary and how to structure your logic cleanly.
Understanding the Passport Authentication Flow
Laravel Passport handles the heavy lifting of token validation. When a request arrives with a valid Bearer token, Passport intercepts this request, validates the token against the database (or token store), and populates the authentication state for the request lifecycle. This process is managed by the Sanctum/Passport guards.
If you are using standard Laravel scaffolding, the primary way to access the authenticated user object is through the Auth facade:
$user = Auth::user();
This method checks the current request's state. If a valid token was successfully validated by Passport for that request, $user will contain the corresponding Eloquent model; otherwise, it will be null.
The Dilemma: Controller Logic Without Middleware
Your requirement is to allow your controller methods—like get_tagged—to execute and return data whether a user is logged in or not. This means you cannot rely on the standard auth:api middleware forcing an immediate halt if no token is present, as it would prevent your desired fallback logic.
The solution lies in performing an explicit check within the controller method itself, utilizing Passport's built-in authentication state rather than trying to manually parse raw tokens.
Method 1: Explicit Check using Auth Facade (The Cleanest Approach)
Since Passport has already processed the token and established the authenticated state for the request (even if you bypass middleware), you can use standard Laravel checks directly. This avoids complex manual token decoding and keeps your business logic focused.
Here is how you implement the conditional logic in your controller:
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use App\Models\Article; // Assuming this model exists
class ArticleController extends Controller
{
public function get_tagged($tag = "", Request $request)
{
// 1. Check if a user is authenticated via the Passport guard
if (Auth::check()) {
// User is logged in, retrieve the authenticated user
$user = Auth::user();
// Logic specific to the logged-in user
// Example: Return articles tagged by the user
$articles = Article::where('user_id', $user->id)->get();
return response()->json($articles);
} else {
// 2. No user is authenticated, return general data
// Logic for unauthenticated users (e.g., public articles)
return response()->json([
'message' => 'No user is currently logged in.',
'data' => Article::all() // Return global/public data
]);
}
}
}
Why This Works Better Than Manual Token Parsing
Attempting to manually intercept the Authorization header, decode the JWT (which Passport uses internally), and then manually query the database for a user is reinventing the wheel. Passport has already performed this complex cryptographic validation for you. By using Auth::check(), you are simply querying the state that Passport has already established for the current request cycle. This adheres to Laravel's principles of separation of concerns, making your controller cleaner and more readable.
Conclusion: Trusting the Framework
When working with token-based authentication in Laravel, especially within an API context managed by Passport, the key is to trust the framework’s established state management. Instead of trying to re-implement token parsing inside every endpoint, leverage the Auth facade functions like Auth::check() and Auth::user(). This approach ensures your application remains secure, maintainable, and aligned with Laravel's architectural standards, providing a robust foundation for handling authenticated and unauthenticated requests seamlessly. For deeper dives into securing your APIs, exploring resources from https://laravelcompany.com is highly recommended.