Invalidate Refresh token after "Change Password"

Hi @love.huria,

You cannot revoke access tokens, they are stateless. You should have access tokens set to a short lifetime, and use refresh tokens to renew them for a long lived ‘session’.

When you want to expire that session, you revoke the refresh tokens, effectively ending all sessions and requiring re-authentication.

In your case, you can use the post change password hook to revoke the tokens, which will asynchronously revoke the tokens after a password reset.

Let me know if that helps,
Dan