Ready to post? First, try searching for your answer.
Hello,
In a previous post, I was asking about the /api/v2/users/{user_id}/refresh-tokens endpoint. I am still stuck on what the best practice should be, as alluded to in my follow up question.
As that post was closed, I’m migrating to a new post with the follow up. (previous post: API Subscription missing entitlement - feature_not_enabled - /api/v2/users/{user_id}/refresh-tokens)
Thank you for coming back to the Auth0 Community with an update to your initial post.
I am sorry about the late reply to your inquiry.
As you have mentioned in your initial post, my personal recommendation would be to implement Refresh Token Rotation. This is indeed a way in which you will be able to mitigate and take care of leaks in your refresh tokens since it has automatic detection when a refresh token is reused. This way, you will not need your own database to be the “middle man” between your application and Auth0. If you still wish to save this data in your data base, you should be able to store any provided refresh tokens that were used for rotation.
You can take a look at our blog related to Rotating Refresh Tokens as well in order to learn more about implementing them with your application.
If you have any other questions regarding the matter, feel free to leave a reply or post again on the community page!
First, try searching for your answer.