Laravel Passport: Are API's tokens stored on the server, and where?
I tried to find where the token returned by the method $user->createToken('MyApp')->accessToken; is stored on the database but I can't seem to find it. Is it stored in the server in the first place? If so, where?
If it's not stored on the server because it's self-contained, why did Laravel's developers put $table->rememberToken(); in the default create_users_table.php migration? What's the purpose of the column remember_token?
Thank you for your help.
I guess you could say that some part of the token is stored in the database.
The token returned is JWT (JSON Web Token). Encoded in it is information about the token, like its expiration time, the algorithm used to hash it, the token scopes and its ID (in the payload it's named jti). That ID is what's stored in the oauth_access_tokens table.
In this method in the \Laravel\Passport\PersonalAccessTokenFactory::findAccessToken class you can see how Laravel is checking if the token is in the database:
/**
* Get the access token instance for the parsed response.
*
* @param array $response
* @return Token
*/
protected function findAccessToken(array $response)
{
return $this->tokens->find(
$this->jwt->parse($response['access_token'])->getClaim('jti')
);
}
If you get a valid token and paste it in this online tool you will see the structure of it. Here's how it looks:
Now, knowing the expected format of the payload, if you play around a bit with this information and the data you have in your oauth_access_tokens (id, scope, creation and expiration date) you should be able to create a valid token.