Exceeding Refresh Token Limit

Last Updated: Aug 20, 2024

Overview

This article explains what happens when a user exceeds an application’s limit of refresh tokens and clarifies whether this would impact their session and the application’s issuance of new tokens to the user.

Applies To

  • Refresh Token
  • Limitations
  • User Session

Solution

When enforcing the refresh token limits our service will periodically scan applications and when a user has exceeded the limit of Refresh Tokens for the application, the service will expire the excess tokens on an older-first basis.

This means the application can still issue new Refresh Tokens to a user who is exceeding the limit, but the oldest tokens will be removed in order to retain the limit.

An application exchanging any of the last 200 tokens issued will be unaffected. So, unless the application is retaining and exchanging older refresh tokens, there should be no change in behavior from a user perspective.

The user’s session in Auth0 will remain untouched, and the last 200 refresh tokens issued will still be valid, so the application can issue a new token normally without the user needing to re-authenticate.

Related References

2 Likes