Laravel Passport – what is the difference between tokensExpireIn, refreshTokensExpireIn and personalAccessTokensExpireIn

Hello Im new in laravel passport, can some one tell me what is the difference between tokensExpireIn, refreshTokensExpireIn and personalAccessTokensExpireIn ?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Access tokens carry the necessary information to access a resource directly. In other words, when a client passes an access token to a server managing a resource, that server can use the information contained in the token to decide whether the client is authorized or not. Access tokens usually have an expiration date and are short-lived (tokensExpireIn).

Refresh tokens carry the information necessary to get a new access token. In other words, whenever an access token is required to access a specific resource, a client may use a refresh token to get a new access token issued by the authentication server. Common use cases include getting new access tokens after old ones have expired, or getting access to a new resource for the first time. Refresh tokens can also expire but are rather long-lived (refreshTokensExpireIn).

The idea behind refresh tokens is that if an access token is compromised because it is short-lived, the attacker only has a limited time to exploit it.

Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.

Personal Access Tokens are used where users may want to generate access tokens for themselves without going through the standard authorization code redirect flow. Allowing users to issue tokens to themselves via the UI of your application may be useful for allowing users to play with your API or can serve as an easier approach to issuing access tokens in general. These tokens are usually long-lived (personalAccessTokensExpireIn) but the lifetime may be managed through the UI as well. An example of this would be Github:

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x