Logout Not Invalidating Access Token in Machine-to-Machine Application

Hi @karthik.ravirambe,

Welcome to the Auth0 Community!

Unfortunately, JWT access tokens cannot be revoked and are valid until they expire. Hence, the token can be used against the /userinfo endpoint even though the user has already logged out.

In general, we recommend using short-lived access tokens to prevent token abuse/misuse.

I suggest referencing our Invalidating an Access Token after User Logout documentation for a detailed explanation.

Cheers,
Rueben

1 Like