Revoke API access on user_metadata change

Basically we have an account status saved as a field in the user_metadata.
We want to revoke access to our API if their status becomes a specific value (‘terminated’ for example)
Is this possible?

Hi @steven5,

Welcome to the Auth0 Community!

JWT access tokens in the (context of Auth0) cannot be revoked. This means that outstanding access tokens must expire to become invalid. Because of your requirement, you should consider making your access tokens short-lived (5 minutes, for example). This means that any changes are reflected in less than or equal to the access token lifetime.

How are you checking the user’s metadata?

Note: user_metadata is intended for data that can be changed by the user (a favorite color, for instance). Instead of user_metadata, you should use app_metadata for authorization data.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.