Disabling refresh token rotation > impact?

Simple question – but one for which I couldn’t see the answer in any docs or threads.

We currently have refresh token rotation enabled. However, I would like to turn it off as the security benefits are not so significant in our use case, and we don’t want users to require internally managing and renewing a long-lived token every 6 months.

I want to understand if disabling it will affect current tokens – i.e. will existing refresh tokens be invalidated or face issues (other than their existing expiry being in force).

We have production users using these for automated API queries so I need to be sure of this before toggling it off… and it’s just not clear anywhere if switching from enabled > disabled has such consequences.

Hi there @zenonz welcome to the community!

When you disable the rotation, it will have one last rotation. The last rotation will give you a non rotating RT so it shouldn’t have a negative effect on the users.

Hope this helps!

Thanks! That helps a lot, situation clarified :+1:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.