Revoke Refresh Token on Logout

Feature: Remove refresh token from Active devices on logout

Description: When a user logs out of a SPA, calling the logout endpoint does not revoke the refresh token. This leaves it available for use if it is compromised on the client-side or in transit. The revoke refresh token endpoint can be called, separately, but it would be good to remove the refresh token for the device on logout.

Use-case: We’re building a SaaS AI SPA and use Auth0 to protect access to our resource APIs.

Hey there!

Thank you for creating this feedback card. Let’s see who else from community will be interested in such improvement!