Any way to kill a token upon logout? (2020 edition)

emcintyre · March 3, 2020, 7:53pm

Hi,

Everything I’ve seen, including this Community topic, indicates that there is no standard nor Auth0-specific way to invalidate an access token. The accepted manner of dealing with a logout event is to build a token blacklist into my API.

My question, then: Is this still the preferred way of handling this scenario? (Asking for a manager )

Thanks,
Eric

dan.woda · March 6, 2020, 3:41pm

Hi @emcintyre,

Welcome to the Community!

Yes, access tokens are stateless and are valid until expiration. You can do things to alleviate this concern, like shortening the lifetime of the tokens and refreshing more often with silent auth or a revokable refresh token.

Hope this helps,
Dan

Topic		Replies	Views
Expire access token when Logout Get Help logout , auth0 , access_token	3	8059	July 19, 2024
Having Trouble on Remove Auth0 Session When Logout From Front End Get Help auth0	3	5337	October 11, 2019
Invalidating an access token when user logs out Get Help jwt , access-token	13	33253	July 19, 2024
How does auth0 handle logouts Get Help community-topic , other	2	446	December 21, 2023
How to destroy JWT token when signout Get Help jwt	2	11385	March 2, 2018

Any way to kill a token upon logout? (2020 edition)

Related topics