We are getting emails about at least one user using too many refresh tokens. How do we find which user is getting too many refresh tokens and what app they are using.
Welcome to the Auth0 Community!
Unfortunately, there isn’t a corresponding endpoint or filter that can find out which user is responsible for owning too many refresh tokens. The only way to do so is to reach out to our Developer Support Team to export this information.
However, allow me to clarify that if a user has 200 valid refresh tokens for the same application, and requests 1 more (201), then the oldest requested refresh token will expire, and the newest 200 refresh tokens will remain, which includes the one that was just requested. In this way, you are not increasing the quota.
I hope this helps!
Please let me know if you have any additional questions.
Backward linking to the same question asked on this post.
Just trying to clean up how we are using the tokens. As too many refresh tokens seems like a security issue it would be nice for that to be added to the user interface.
For now I will look at tightening all the expiration on refresh tokens.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.