Any way to kill a token upon logout? (2020 edition)


Everything I’ve seen, including this Community topic, indicates that there is no standard nor Auth0-specific way to invalidate an access token. The accepted manner of dealing with a logout event is to build a token blacklist into my API.

My question, then: Is this still the preferred way of handling this scenario? (Asking for a manager :grin:)



Hi @emcintyre,

Welcome to the Community!

Yes, access tokens are stateless and are valid until expiration. You can do things to alleviate this concern, like shortening the lifetime of the tokens and refreshing more often with silent auth or a revokable refresh token.

Hope this helps,

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.