Limit number of active user sessions by revoking refresh tokens upon login?

I’m building a SPA, and I want to limit how many devices can be logged into a single account at any given time. This is a little trickier with JWTs than with cookies, but I think I have a plan that will work based on the Revoke Refresh Tokens reference doc. I’m sharing it here to get feedback and as a reference for anyone else trying to solve the same problem.


Does anyone see any issues with this plan?

Hi @evan.johnston,

This solution sounds good to me. Thank you for sharing this with the Community!

Unfortunately, I haven’t been able to get this working because I can’t find a way to retrieve all of a user’s existing refresh tokens. The /api/v2/device-credentials endpoint does not list refresh tokens issued in the SPA flow, and if there’s another endpoint that does, I haven’t been able to find it.

I haven’t been able to figure out an appropriate workaround so far.

  • Revoking tokens pre-login using the /oauth/revoke endpoint won’t work without an existing refresh token. I don’t see a way to revoke tokens from previous sessions without also revoking the token for the current session.
  • I thought revoking the application grant pre-login might work, but degrade UX by forcing the user to authorize a new grant on every login. Instead, the grants are auto-authorized (presumably because they’re first-party?), and the SPA is able to login again without the user re-entering their credentials. Because my goal is to deter users from sharing a single account, this doesn’t suit my needs.
  • It seems possible that I could configure Auth0 to treat my SPA as a device such that its refresh tokens would accessible via /api/v2/device-credentials, but this seems like it might be a lot of work and I’m not confident I would be able to do it securely.

Am I missing something? Does anyone have any suggestions?