Hi @chriscosentino,
Are you using rotating refresh tokens? If so, automatic re-use detection could do this for you, as only the latest Refresh Token would be accepted, if any Refresh Token in the ‘family’ was reused, all Refresh Tokens would be invalidated and require the user to re-authenticate to get a new Refresh Token.
So after a password reset, it would only take the legitimate user a single attempt to get a new Refresh Token to invalidate all other refresh tokens and ensure only the user with the latest password could get a new one.
If you still wanted to go down the route of revoking refresh tokens straight away, you would need to call the GET Device-credentials endpoint in your action to fetch the user_id’s refresh tokens, and then subsequently revoke it:
There is a guide here on how to use the Management API within Actions: