I got an email from Auth0 stating that there is a user in my tenant that has more than 200 refresh tokens, and I don’t know how to find that user. Is there a way to filter users based on the # of refresh tokens?
Welcome to the Auth0 Community!
Unfortunately, there isn’t a corresponding endpoint or filter that can find out which user is responsible for owning more than X amount of refresh tokens. The only way to do so is to reach out to our Developer Support Team to export this information.
In this situation, I recommend changing the Refresh Token Expiration found on your Application settings. Specifically, you could lower the Absolute Lifetime and Inactivity Lifetime values such that it forces all issued refresh tokens to be invalidated and prompt the user to re-authenticate (e.g 1 second). This is most effective if you happen to know which applications are affected, or if you have a low number of applications.
I hope this helps!
Please let me know how it works for you.
Thanks,
Rueben
Backward linking to the same question asked on this post.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.