June 09, 2020

How to fix invalid_grant Error with Laravel Passport

If you are upgrading from Laravel 6 to Laravel 7, and you are using Laravel Passport, you might encounter some authentication errors related to 400 HTTP status code and invalid_grant.

This may come as a got-cha since it is not documented in the official Passport upgrade guide. Main reason for that is because, it's not a Passport change. Instead it's the underlying package thephpleague/oauth2-server that has made the change.

So how do we fix it?

There are 2 changes that you need to take note when you are upgrading from Passport 7.x to 8.x or 9.x.

  1. invalid_credentials is now renamed to invalid_grant.
  2. The 401 HTTP status code returned on invalid credentials is now changed to 400.

The details are in this PR.

You could probably just update the string / HTTP status code in your codes and test cases accordingly to fix the errors as the PR seems pretty straight-forward. However a disclaimer, I could be wrong so do your own investigation as required particularly if you run a sensitive app.


Hello! My name is Jian Jye and I work on Laravel projects as my main job. If my article was helpful to you, a shoutout on Twitter would be awesome! I'm also available for hire if you need any help with Laravel. Contact me.