After a user is deleted via API or Dashboard, is there a way to in-validate any active session. For example, if the Auth0 ID does not exist, force a logout or respond with a status code of 401?
When a user is deleted, their Auth0 session is invalidated, and so the next time they go to fetch a new Access Token from Auth0 it will fail and ask for a login. However, there is no synchronisation between Auth0 and your application; your application will need to check in with Auth0 to ensure the user still has a valid session on the Auth0 side, and act appropriately if Auth0 asks for a login (e.g. destroy their local session and redirect to the login page of your app).
To this end, I would recommend reducing your Access Token lifetimes to as short as is practical for your application, and use silent authentication to check the user still has a session with Auth0 when these tokens expire, or if the user attempts to access something sensitive for example.
Does Access token requests affect our rate limits?
Yes these will count towards the rate limits on the Authentication API (Authentication API Endpoint Rate Limits), so you would need to find a balance between your tenant’s plan and how often your application checks the user still has a valid session, as an access token will remain valid until it expires.
Let us know @pcasa if you have any additional questions!