Question: How can I log a user out of all sessions and revoke refresh tokens after a successful password reset/change?
After a successful password reset, session cookies are automatically cleared on the Auth0 side, logging users out of browser based apps. In order to fully log a user out, we must revoke refresh tokens for that user. This can be set up in a post change password hook that utilizes one of the revoke refresh token endpoints.
Please note, this will not invalidate existing access tokens. Short-lived access tokens should be used in this case. Learn how to update access token lifetimes.