Auth0 Home Blog Docs

How to destroy JWT token when signout



I am using Lock for entering username/password then get the JWT token and accessing my application. Now I wan’t when the user click signout, the token become invalided and we can’t use this token anymore.

Could you please help me how can I do that?


The provided information is somewhat insufficient to provide definitive guidance, for example, both the ID tokens and access tokens issued presently by the Auth0 service can be represented as a JWT. However, ID tokens and access tokens have different processing rules and different consumers so what may apply to one, may not exactly apply to the other.

At this time there is no support for access token revocation from the Auth0 service side of things so an issued access token will be valid until it’s associated expiration time. Having said that, in the future there may be out of the box support for it.

In addition, the general recommendation would be that ID tokens should have really short expiration time (in the order of minutes) which would make invalidation of this sort of tokens mostly a non-issue.

For access tokens issued to resource servers (aka API’s) you configured in Auth0 if you so desire you can implement your own invalidation logic, but this would mostly be your own custom implementation given that as mentioned before access token revocation does not yet have any support from the service side of things. You may want to consider reducing the lifetime of issued access tokens as a mitigation to this type of problem. As an additional note, refresh tokens can already be revoked using this endpoint.