Refresh token revocation

Problem statement

How to invalidate a user session on Auth0 native apps after a password reset on the web app by revoking refresh tokens with the Management API so the user is logged out.

Solution

Follow the steps below to remove the offline_access grant for the user.

  1. Call GET /api/v2/grants?user_id=<user_id>
  2. Call DELETE /api/v2/grants/{id?} with the chosen grant id.

Note: Deleting a grant will automatically delete a device credential as well. This approach deletes the user’s consent together with the Refresh Token.