So I created a client using php artisan passport:client, and when I do a POST request to oauth/token I thankfully get back a token.

However, when I try to use that token by putting it in my headers and going to an auth:api protected route I get 401 unauthorized.

Using a different route to login, however, seems to work. When I use this route in my api controller:

Route::post('/login', 'Auth\LoginController@login')->name('login');

which has the following code:

public function login(Request $request) {
    $input = $request->all();

    if (Auth::attempt(['email' => $input['email'], 'password' => $input['password'] ])) {
        $user = Auth::user();

        return [
            'success' => true,
            'token' => $user->createToken('test')->accessToken
        ];
    }

    return [
        'success' => false,
        'message' => 'unable to authenticate'
    ];
}

I get back a token that works on protected routes.

I'm using Postman to test, I have headers Authorization: Bearer <token> and Accept: application/json. Not sure why it works one way but not another.

edit: Here is the protected route:

Route::middleware('auth:api')->get('/user', function (Request $request) 
{
    return $request->user();
});

which uses:

'api' => [
    'driver' => 'passport',
    'provider' => 'users',
],