Installation

Requirements

Requirement Version
PHP 8.3+
Laravel 13
Database MySQL, PostgreSQL or SQLite
OAuth engine league/oauth2-server ^9.0 (pulled in automatically)
JWT lcobucci/jwt ^5.0 (pulled in automatically)

The package depends on padosoft/laravel-iam-contracts
and spatie/laravel-package-tools. Heavy adapters (AWS KMS, LDAP, AI) are suggest dependencies, never
required.

Install

composer require padosoft/laravel-iam-server

The package is auto-discovered through extra.laravel.providers
(Padosoft\Iam\IamServiceProvider) — no config/app.php edits.

Publish configuration

php artisan vendor:publish --tag="laravel-iam-server-config"

This publishes two files:

  • config/iam.php — identity, tokens, OAuth, the Admin API prefix, crypto, audit, observability and
    integration toggles.
  • config/iam-governance.php — IGA feature gates, SoD toxic-combination rules and least-privilege
    thresholds.

See Configuration for every key.

Run migrations

php artisan migrate

Migrations are loaded automatically (toggle with iam.run_migrations). They create the IAM tables:
identity & sessions, the authorization catalog, OAuth client/grant tables, signing & data keys,
applications & manifests, audit, governance, relations (ReBAC), groups, directory sources and approval
steps. The full list is in the Database schema.

What the service provider registers

Routes
  • Admin API at iam.admin.route_prefix (default api/iam/v1) — routes/admin.php.
  • Health / readiness at the same prefix, unauthenticatedroutes/health.php.
  • OAuth2 at iam.oauth.route_prefix (default oauth) — routes/oauth.php.
  • OIDC discovery & JWKS at root — routes/oidc.php.
Middleware aliases
  • iam.admin_authAdminAuthenticate (bearer-token admin auth).
  • iam.canAuthorizeIamPermission (delegates to the PDP, e.g. iam.can:iam:manifests.apply).
  • iam.idempotencyIdempotencyKey (dedupe writes via Idempotency-Key).

Registration of the Admin/OAuth routes can be turned off with iam.admin.register_routes and
iam.oauth.register_routes if you want to mount them yourself.

Choose a login backend

The IdP issues tokens; how a user proves who they are is pluggable. The package suggests — but does not
require — login backends:

Fortify
Socialite
Passkeys
composer require laravel/fortify

A native username/password backend.

composer require laravel/socialite

Federated / social login.

composer require laravel/passkeys

WebAuthn / passkeys — satisfies AAL2 for step-up.

Verify the install

php artisan route:list --path=api/iam/v1   # admin routes are mounted
curl http://localhost/api/iam/v1/health     # → ok (unauthenticated)
Set an OAuth encryption key in production

iam.oauth.encryption_key (IAM_OAUTH_ENCRYPTION_KEY, base64 32 bytes) encrypts authorization codes and
refresh tokens. Empty in dev derives it from APP_KEY; set an explicit key in production. See
Key management.

Next