According to the OAuth 2.0 documentation, access tokens are self-encoded and do not require a database lookup.

When the access token expires, the application can use the refresh token to obtain a new access token. It can do this behind the scenes, and without the user’s involvement, so that it’s a seamless process to the user.

The main benefit of this approach is that the service can use self-encoded access tokens which can be verified without a database lookup. However, this means there is no way to expire those tokens directly, so instead, the tokens are issued with a short expiration time so that the application is forced to continually refresh them, giving the service a chance to revoke an application’s access if needed.

An password access token requires three database lookups to complete verification.

https://github.com/laravel/passport/blob/v7.0.2/src/Bridge/AccessTokenRepository.php#L85
https://github.com/laravel/passport/blob/v7.0.2/src/Guards/TokenGuard.php#L125
https://github.com/laravel/passport/blob/v7.0.2/src/Guards/TokenGuard.php#L134

This approach invalidates the purpose of having access and refresh tokens.

To my knowledge, there is no way to toggle this functionality within Passport. Is this a feature that Passport would consider?