Changing the Duration of Access Tokens and Refresh Tokens and Their Behavior

kito.hirokazu · February 7, 2024, 4:33am

What happens to already issued access tokens and refresh tokens when their durations are changed?

Do already issued tokens become invalidated?
Does the duration of already issued tokens remain as it was before the change, or is the new duration applied?

marcelina.barycka · February 9, 2024, 11:38am

Hi @kito.hirokazu , thank you for posting your questions!

An already issued ID and Access token will be valid for the period they were originally issued for. There is no automate way to invalidate them thus there would be a need to actively logged users out. Revoke Tokens

In case of refresh tokens, the expiry time will also be as initially set, but you can revoke them (once revoked, they will be invalidated). Revoke Refresh Tokens

I remain available in case of follow-up questions!

Topic		Replies	Views
Access token refreshing after Tenant session timeout Get Help authentication , refresh-tokens	10	10982	May 27, 2020
Access token from /oauth/token becomes invalid Get Help	9	3221	July 2, 2022
The user is logged out after one hour despite the use refresh tokens Get Help sessions , rotating-refresh-tokens	2	61	October 31, 2025
Seemingly able to renew access_token with expired id_token Get Help id_token , access-token , expiration	7	6738	July 25, 2019
Does Auth0 prevent the user to be logged in at two different places? Get Help authentication-api	10	5800	May 25, 2019

Changing the Duration of Access Tokens and Refresh Tokens and Their Behavior

Related topics