diff --git a/src/app/Providers/AppServiceProvider.php b/src/app/Providers/AppServiceProvider.php
--- a/src/app/Providers/AppServiceProvider.php
+++ b/src/app/Providers/AppServiceProvider.php
@@ -19,6 +19,7 @@
     public function register()
     {
         Passport::ignoreMigrations();
+        Passport::ignoreRoutes();
     }
 
     /**
diff --git a/src/app/Providers/AuthServiceProvider.php b/src/app/Providers/AuthServiceProvider.php
--- a/src/app/Providers/AuthServiceProvider.php
+++ b/src/app/Providers/AuthServiceProvider.php
@@ -15,7 +15,6 @@
      * @var array<class-string, class-string>
      */
     protected $policies = [
-        // 'App\Model' => 'App\Policies\ModelPolicy',
     ];
 
     /**
@@ -27,21 +26,6 @@
     {
         $this->registerPolicies();
 
-        // Hashes all secrets and thus makes them non-recoverable
-        /* Passport::hashClientSecrets(); */
-        // Only enable routes for access tokens
-        Passport::routes(
-            function ($router) {
-                $router->forAccessTokens();
-
-                // Override the default route to avoid rate-limiting.
-                Route::post('/token', [
-                    'uses' => 'AccessTokenController@issueToken',
-                    'as' => 'passport.token',
-                ]);
-            }
-        );
-
         Passport::tokensCan([
             'api' => 'Access API',
             'mfa' => 'Access MFA API',
diff --git a/src/composer.json b/src/composer.json
--- a/src/composer.json
+++ b/src/composer.json
@@ -24,7 +24,7 @@
         "laravel/framework": "^9.2",
         "laravel/horizon": "^5.9",
         "laravel/octane": "^1.2",
-        "laravel/passport": "^10.3",
+        "laravel/passport": "^11.3",
         "laravel/tinker": "^2.7",
         "mlocati/spf-lib": "^3.1",
         "mollie/laravel-mollie": "^2.19",
diff --git a/src/routes/web.php b/src/routes/web.php
--- a/src/routes/web.php
+++ b/src/routes/web.php
@@ -29,3 +29,30 @@
         );
     }
 );
+
+Route::group(
+    [
+        'prefix' => 'oauth'
+    ],
+    function () {
+        // We manually specify a subset of endpoints from https://github.com/laravel/passport/blob/11.x/routes/web.php
+        // after having disabled automatic routes via Passport::ignoreRoutes()
+        Route::post('/token', [
+            'uses' => '\Laravel\Passport\Http\Controllers\AccessTokenController@issueToken',
+            'as' => 'token',
+            // 'middleware' => 'throttle',
+        ]);
+
+        Route::middleware(['web', 'auth'])->group(function () {
+            Route::get('/tokens', [
+                'uses' => '\Laravel\Passport\Http\Controllers\AuthorizedAccessTokenController@forUser',
+                'as' => 'tokens.index',
+            ]);
+
+            Route::delete('/tokens/{token_id}', [
+                'uses' => '\Laravel\Passport\Http\Controllers\AuthorizedAccessTokenController@destroy',
+                'as' => 'tokens.destroy',
+            ]);
+        });
+    }
+);