Changing the Duration of Access Tokens and Refresh Tokens and Their Behavior

kito.hirokazu · February 7, 2024, 4:33am

What happens to already issued access tokens and refresh tokens when their durations are changed?

Do already issued tokens become invalidated?
Does the duration of already issued tokens remain as it was before the change, or is the new duration applied?

marcelina.barycka · February 9, 2024, 11:38am

Hi @kito.hirokazu , thank you for posting your questions!

An already issued ID and Access token will be valid for the period they were originally issued for. There is no automate way to invalidate them thus there would be a need to actively logged users out. Revoke Tokens

In case of refresh tokens, the expiry time will also be as initially set, but you can revoke them (once revoked, they will be invalidated). Revoke Refresh Tokens

I remain available in case of follow-up questions!

system · February 23, 2024, 11:38am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Invalidating an Access Token after User Logout Knowledge Articles token , api , invalidate , log-out	1	19398	February 27, 2023
How long is the Refresh token valid if the rotation is not set Help sessions , reusable-refresh-tokens	2	16	August 19, 2024
When does a refresh token become invalid? Help auth0 , authentication , refresh-tokens	3	2233	July 12, 2022
Clarifying Refresh Token Rotation in Auth0 Knowledge Articles refresh-tokens , refresh-token-rotate	1	61	September 12, 2024
Invalid access token returned when using refresh token Help sessions , rotating-refresh-tokens	1	21	October 7, 2024

Changing the Duration of Access Tokens and Refresh Tokens and Their Behavior

Related Topics