Laravel Passport token lifetime

Stefan Izdrail

Founder & Senior Architect · 2026-06-29

Laravel Company
Title: Understanding Laravel Passport Token Lifetime Management Body: When working with Laravel's authentication system, understanding how to control token expiration is crucial for security purposes. In this blog post, we will explain how to set the lifetime of tokens using Laravel Passport and provide a thorough answer to the query mentioned above. We will also delve deep into how these settings impact your application. Firstly, let's understand the code you provided in your response: ```php namespace App\Providers; class AuthServiceProvider extends ServiceProvider { public function boot() { $this->registerPolicies(); Passport::tokensExpireIn(Carbon::now()->addDays(1)); Passport::refreshTokensExpireIn(Carbon::now()->addDays(30)); } } ``` This code is part of the Laravel Passport configuration. It affects how long the access tokens issued to users last and how long the refresh tokens used for renewing expired access tokens last. The `registerPolicies()` method call ensures authentication policies are registered, which is crucial in protecting your application against unauthorized access. Now let's break down the code: 1. `Passport::tokensExpireIn(Carbon::now()->addDays(1));` sets the expiration time for newly issued access tokens to 24 hours from the current time. This means that after a day, the user will need to re-authenticate to obtain a fresh access token. 2. `Passport::refreshTokensExpireIn(Carbon::now()->addDays(30));` sets the expiration time for refresh tokens used to renew access tokens to 30 days from the current time. This provides longer authentication sessions while maintaining security. The user will only need to re-authenticate after 30 days if they want a new access token. As for your code snippet: ```php // as a demo namespace App\Http\Middleware; class ParseSpecialToken { public function handle($request, Closure $next) { $user = User::find(1); $accessToken = $user->createToken('Some token')->accessToken; $request->headers->add(['Authorization' => 'Bearer '. $accessToken]); return $next($request); } } ``` This code demonstrates how to create a new access token for a specific user (User::find(1)) and set the header of an HTTP request with that access token. However, this does not affect the lifetime settings mentioned earlier. To change the expiration time for newly issued tokens in your case, you need to replace the provided code with: ```php namespace App\Http\Middleware; class ParseSpecialToken { public function handle($request, Closure $next) { $user = User::find(1); $accessToken = $user->createToken('Some token')->setTTL(10)->accessToken; $refreshToken = $user->createToken('Some refresh token')->setExpiresIn(24 * 7)->refreshToken; $request->headers->add(['Authorization' => 'Bearer '. $accessToken]); $request->headers->add(['Authorization' => 'Bearer '. $refreshToken]); return $next($request); } } ``` This new code sets the access token expires in 10 minutes (1000 seconds) and the refresh token to expire in a week (24 * 7 days). Note that you should not set shorter refresh token lifetimes as it could lead to frequent automatic refreshes, and possibly, undesired additional API calls. In conclusion, understanding how Laravel Passport affects token lifetime is essential for the security of your application. By properly configuring access and refresh tokens, you can provide a more secure authentication experience without compromising user convenience. Remember to always use best practices when working with sensitive information like authentication tokens. For further insights on this topic, please check out https://laravelcompany.com/blog/access-tokens-in-laravel-5-4 and https://laravelcompany.com/blog/refresh-token-authentication-in-laravel.