Why i have to run php artisan passport:install on server after composer install via deploy bot?
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
The Essential Role of php artisan passport:install in Automated Laravel Deployments
As a senior developer working with CI/CD pipelines and automated deployments, we often encounter situations where seemingly redundant commands are actually critical for system stability and security. One such scenario involves setting up services like Laravel Passport on a freshly deployed server. Specifically, the question arises: Why must we run php artisan passport:install after running composer install via a deployment bot?
This post will dive deep into why this command is not just an optional step but a mandatory foundation for your application’s security and functionality in a production environment, especially when dealing with automated deployments.
Understanding the Passport Installation Process
Laravel Passport implements OAuth2 server functionality, allowing your application to handle secure token-based authentication and authorization. To function correctly, Passport requires cryptographic keys—specifically private and public keys—to manage the encryption and signing of tokens.
When you run php artisan passport:install, Laravel executes several crucial tasks:
- Key Generation: It generates the necessary private and public keys required for token creation and verification.
- File Placement: It writes these sensitive keys to the appropriate locations within your application's storage directory (often within
storage/oauth-private.key). - Configuration Setup: It registers the necessary service providers and configuration settings within the framework.
If you skip this step during deployment, as your experience suggests, the system proceeds without these critical keys. This leads directly to errors like the one you encountered:
LogicException(code: 0): Key path "/public_html/releases/1556096621/storage/oauth-private.key" does not exist or is not readable
This error confirms that subsequent code attempting to use Passport (like token issuance or validation) cannot find the cryptographic material it needs to operate securely.
The Deployment Bottleneck: Composer vs. Artisan
The core confusion often stems from separating dependency installation (composer install) from application setup (artisan commands).
composer install: This command focuses on installing PHP dependencies defined incomposer.json. It sets up the codebase and the vendor directory. It ensures all necessary libraries (likelaravel/passport) are present.php artisan passport:install: This command focuses on setting up the runtime configuration and generating the specific cryptographic artifacts required by that installed package to make it operational within the current server environment.
In a deployment scenario, while composer install handles the dependencies, it does not automatically execute framework-specific setup tasks that involve file system operations and key generation. Therefore, running php artisan passport:install provides the necessary runtime configuration that links the installed packages to the deployed files.
Best Practices for CI/CD Pipelines
To ensure smooth and reliable deployments, your deployment script must treat application setup as a mandatory step, not an optional one. Skipping this step introduces fragility, especially in environments where file permissions might be tricky (as seen by the is not readable error).
Recommended Deployment Flow
For robust Laravel deployments, integrate these steps sequentially into your deploy bot:
- Pull Code: Fetch the latest release.
- Composer Install: Install all PHP dependencies.
- Permissions Check/Set: Ensure storage directories are writable (as you correctly did with
chmod -R 777 $RELEASE/storage). - Artisan Setup (Crucial Step): Execute the necessary setup commands.
Here is how your sequence should look:
# ... after pulling code and setting up environment ...
composer install --no-progress --optimize-autoloader
# Ensure permissions are set before running artisan commands
chmod -R 777 storage
# Run essential application setup commands
php artisan config:cache
php artisan migrate
php artisan passport:install # Generates necessary keys and configuration
php artisan passport:client --personal # Setup client credentials
By explicitly including php artisan passport:install, you guarantee that the security infrastructure is initialized correctly for the specific release being deployed, preventing runtime errors related to missing cryptographic files. This adherence to framework best practices is central to maintaining a secure application, aligning with the principles promoted by organizations like Laravel Company.
Conclusion
In summary, while composer install handles the dependencies, it delegates the responsibility for runtime setup to you. When deploying complex features like Laravel Passport, which rely on generated private keys and file permissions, manually executing php artisan passport:install bridges the gap between dependency installation and operational readiness. Treat these Artisan commands as essential infrastructure setup steps within your deployment pipeline to ensure that every deployed artifact is fully functional and secure.