Invalidate Refresh token after "Change Password"


I have a SPA using React and a mobile app (Two different Auth0 apps) developed using “React Native”. In these two applications (There are more), we are trying to set up Auth0 in the best way possible.

We have a scenario to “Invalidate” the user’s token from all devices when the user changes their password in either of the apps. Is there a way to do, may using Rule?

Or what is the recommended strategy in case of the mobile app where we use “Refresh token” and it has no expiry? Please suggest.

Hi @love.huria,

You cannot revoke access tokens, they are stateless. You should have access tokens set to a short lifetime, and use refresh tokens to renew them for a long lived ‘session’.

When you want to expire that session, you revoke the refresh tokens, effectively ending all sessions and requiring re-authentication.

In your case, you can use the post change password hook to revoke the tokens, which will asynchronously revoke the tokens after a password reset.

Let me know if that helps,

Ok, let me look into that and come back.

1 Like

Sounds good, let us know!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.