Laravel passport issue tokens for first party apps outside of Laravel routes

Question

I have a standalone ReactJS app, and I am creating an authentication service in another Laravel app.

This makes this a little bit complicated since I cannot use sessions. Regardless of that, by following Passport's documentation, this is what I did:

class Client extends BaseClient
{
    public function skipsAuthorization(): bool
    {
        return $this->firstParty();
    }
}

Then, I created the client:

php artisan passport:client

   INFO  New client created successfully.

  Client ID .............................. 9e16a70a-34d3-4a4c-b7c0-734b1cbe9791
  Client secret .................... 8Htimi8GgUbEL8uGdkKjowtZsgm0HQZbJ4kL1w9l

Here is where things get complicated: I implemented a TOTP 2FA flow, which makes it impossible for me to use password type of grant since those were verified first. Moreover, as I am using ReactJS, I need to proxy the whole token issuance.

This is how I am trying to handle the token issuance after TOTP verification:

public function checkOTP(Request $request)
    {
        ...
        try {
            $userId = 1;
            $user = User::findOrFail($userId);

            $client = DB::table('oauth_clients')->where('id', $request->client_id)->first();
            if (!$client) {
                return response()->json(["code" => 400, "message" => "OAuth client not found."], 400);
            }

            ...

            // HANDLE ACCESS TOKEN CREATION

            return response()->json([
                'access_token' => ????
            ]);

        } catch (\Exception $e) {
            return response()->json(["code" => 500, "message" => "Failed to authenticate.", "error" => $e->getMessage()], 500);
        }
    }

But I am not sure how to handle this token issuance. The documentation seems to be forcing the user to access a route within the laravel's project.

Any help would be extremely appreciated. Cheers