How can I log a user out of all sessions after a password reset/change?

Question: How can I log a user out of all sessions and revoke refresh tokens after a successful password reset/change?

Answer:

After a successful password reset, session cookies are automatically cleared on the Auth0 side, logging users out of browser based apps. In order to fully log a user out, we must revoke refresh tokens for that user. This can be set up in a post change password hook that utilizes one of the revoke refresh token endpoints.

Please note, this will not invalidate existing access tokens. Short-lived access tokens should be used in this case. Learn how to update access token lifetimes.

Supporting Documentation:

Documentation: Revoke Refresh Tokens,Post Change Password Hook, User Sessions

1 Like