I approached this slightly different for those interested.
I wanted to keep my API as light as possible, and not bloat it with versions/revisions and users, so ended up creating a 2nd Laravel instance.
On this 2nd Laravel instance (consumer) we used Laravel Socialite as we already use Google as SSO provider. The user logs in, this is where the user interacts with my API. All actions being logged on the consumer, keeping it out of my API DB.
For consumer -> API communication, I installed Laravel Passport on my API and use the password_client and store a password token on the consumer and use Guzzle behind the scenes in my consumer to talk to my API.
I created a WordPress plugin to add a link to the consumer app in the WordPress admin menu. I tried to place Google’s SSO/OAuth login page in an iFrame, due to domain mismatching, it’s not possible.
It works pretty good right now! I would love to do make convert most of it into WordPress plugin, but I don’t want to store my bearer/auth tokens in the plugin as they can be edited/viewed by the user.