Reminder: New Auth0 Refresh Token Limits

How are you affected?

We have noticed in our reporting that there is at least one user in your Auth0 tenant(s): redzonerobotics@us that is exceeding our 200 valid refresh tokens per user per application limit. Existing tenants above this limit will receive the new policy starting October 17th, 2022.

A tenant provides authentication for two different applications: MyMobile and MyWeb. Each application requests multiple unexpiring tokens for user Alice. After some time, MyMobile holds 200 active refresh tokens for Alice and MyWeb holds an additional 200. At this point, the limit does not intervene.

If MyWeb application requests a new refresh token for Alice, the service will issue that new token and revoke the oldest refresh token for Alice in MyWeb. MyMobile is not involved. Applications can request any number of refresh tokens, only the last 200 will be valid to exchange for an access token.

A client application exchanging any of the last 200 tokens is unaffected. A client application trying to exchange a revoked token will be redirected to obtain a new one and, if there is no active session, Auth0 will ask the user to login.

What action do you need to take?
No action is needed unless you think you are in need of 200+ refresh tokens per end-user in at least one of your applications. Please keep the following in mind when considering refresh token usage:

  • There are no standard business use cases that require hundreds of user refresh tokens in the same client application. Please, let us know if you have any questions.
  • Health checkers and probes: Synthetic test users loop over the login process to generate and abandon a large amount of refresh tokens. Higher frequencies spawn higher numbers but only use the last recently created token. The clean-up process transparently tackles test leftovers.

If you need help identifying your use case, contact us by using the Auth0 Support Center to analyze your case in more detail. Please keep in mind that existing tenants above this limit will receive the new policy starting October 17th, 2022.

Help me on this Email. I am new to Auth0

Hey there @ssreehari welcome to the community!

We’ve got an FAQ on this here:

Essentially, unless there is a specific reason your user(s) need hundreds of refresh to the new policy will still allow new refresh tokens to be created while removing the oldest. It might be worth reaching out to your customer and then contacting support if you see this being an issue.

Hope this helps!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.