Hi. I have a SPA using React and a mobile app (Two different Auth0 apps) developed using “React Native”. In these two applications (There are more), we are trying to set up Auth0 in the best way possible. We have a scenario to “Invalidate” the user’s token from all devices when the user changes th…

Invalidate Refresh token after "Change Password"

dan.woda March 31, 2020, 7:49pm 3

You cannot revoke access tokens, they are stateless. You should have access tokens set to a short lifetime, and use refresh tokens to renew them for a long lived ‘session’.

When you want to expire that session, you revoke the refresh tokens, effectively ending all sessions and requiring re-authentication.

In your case, you can use the post change password hook to revoke the tokens, which will asynchronously revoke the tokens after a password reset.

Let me know if that helps,
Dan

SPA invalidate all sessions on password change

Topic		Replies	Views
SPA invalidate all sessions on password change Help auth0 , spa , auth0-spa-js	4	6325	November 20, 2020
How do we invalidate the refresh token for a user, whenever the user changes their password. Help token , auth0-users , change-password , users	6	11909	March 2, 2018
Revoke refresh tokens after password change Help	3	6570	September 10, 2021
Revoke Refresh Tokens when a User Changes or Reset Password after Account Compromise Knowledge Articles password-reset , refresh-tokens , revoke	1	31	October 31, 2024
Unable to revoke refresh tokens Help auth0 , refresh-tokens	2	2064	December 21, 2022

Invalidate Refresh token after "Change Password"

Related topics