I ran into a problem today while trying to test out a Laravel API protected with OAuth2 via Laravel Passport. Essentially any time I tried to use Postman to consume an API protected by the auth middleware, it would return an error response with the message Unauthenticated.

After some digging, I learned that this was simply because I was trying to use an access token that I had found in the id column of the oauth_access_tokens table. The thing is, this isn't an access token at all but just its identifier - the token itself is not stored in the database. Instead of trying to grab the token from the database, I issued a new OAuth password grant request using Postman, took the access token from the response and what do you know, no more Unauthenticated errors!

Looking back it is pretty obvious, but given that I spent the best part of an hour trying to crawl through the Passport source code to figure out what was going wrong before I realised my stupidity - I thought it might be useful to someone else if I shared my findings.