Download the PHP package l3aro/passportless-for-laravel without Composer
On this page you can find all versions of the php package l3aro/passportless-for-laravel. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download l3aro/passportless-for-laravel
More information about l3aro/passportless-for-laravel
Files in l3aro/passportless-for-laravel
Package passportless-for-laravel
Short Description Secure token-based authentication for first-party Laravel APIs
License MIT
Homepage https://github.com/l3aro/passportless-for-laravel
Informations about the package passportless-for-laravel
Passportless for Laravel
API token authentication for first-party Laravel apps — personal access tokens, optional refresh-token rotation, token sessions, and ability checks. No OAuth2 server.
Abilities are simple permission strings on access tokens. They are not OAuth scopes.
When to use
| Use Passportless when… | Prefer something else when… |
|---|---|
| Your Laravel app issues tokens for its own clients (mobile, CLI, internal API, server-to-server) | You need a full OAuth2 authorization server → Laravel Passport |
| You want hashed access tokens + optional refresh rotation without OAuth clients/redirects | You mainly need SPA session cookies with Laravel’s first-party stack → Laravel Sanctum is often enough |
| You want low ops: publish migrations, register a guard, protect routes | You need third-party delegated access, authorization-code grants, or OAuth clients |
Two client paths (same package):
- API / mobile / CLI —
Authorization: Bearer {token}(this quick start) - Browser SPA — optional HTTP-only cookies + CSRF → docs/browser-cookies.md
Quick start
1. Install
Optional config:
2. Register the guard
In config/auth.php:
Provider should already point at your user model (providers.users.model).
3. Add the trait
4. Issue a token and call your API
Protect a route:
Client request:
That’s the core loop.
Next steps
| Guide | Topic |
|---|---|
| API tokens | Abilities, middleware, refresh pairs, logout, listing tokens |
| Browser cookies | SPA HttpOnly cookies, SPA routes, CSRF, CORS |
| Multiple guards | Users vs staff (separate identity models) |
| Configuration | Expirations, reuse detection, cookie settings |
| Operations | passportless:doctor, passportless:prune-stale |
| Testing | Host-app test helpers |
| Docs index | Full documentation map |
Features
- Hashed personal access tokens
- Optional refresh-token rotation with reuse detection
- Token sessions (group and revoke related tokens)
- Laravel guard + middleware (
auth:passportless,abilities,ability) tokenCan/tokenCannoton the authenticated user- Optional HTTP-only cookie helpers and SPA auth routes
passportless:doctorandpassportless:prune-stale
Comparison
| Passportless | Laravel Passport | Laravel Sanctum | |
|---|---|---|---|
| OAuth2 | No | Yes | No |
| Best fit | First-party API tokens (mobile, CLI, internal APIs) | Third-party / delegated OAuth | SPAs + simple personal access tokens |
| Ops cost | Low | High | Low |
| Permissions | Token abilities | OAuth scopes | Token abilities |
| Extras | Refresh rotation, sessions, cookie helpers | Full OAuth server | SPA cookie auth, CSRF |
Changelog
See CHANGELOG.
Contributing
See CONTRIBUTING.
Security Vulnerabilities
See our security policy.
Credits
- l3aro
- All Contributors
License
The MIT License (MIT). See License File.
All versions of passportless-for-laravel with dependencies
spatie/laravel-package-tools Version ^1.16
illuminate/contracts Version ^11.0||^12.0||^13.0