Hmm good question - I can’t think a good way to go about this unfortunately. You’d most likely want to focus on a user’s session rather than tokens, but other than logout endpoints there isn’t a great way to do this. It would also be difficult to determine/decide on the “oldest” session and could make for a poor UX While not exactly the use case described, you could effectively deny user’s in Action based on the number of users already associated with a client_id - This approach is not straightforward either and would take a bit of legwork.