Revoking Access Tokens

Doesn’t Auth0 have an API to revoke access tokens in case there has been a compromise?

I only see this API for revoking Refresh tokens only:

Hi @veetil09,

Welcome to the Community!

Auth0 Access token are stateless bearer tokens by design, this means there is no central repository of issued tokens to revoke from. Is there a specific scenario you are concerned about?

Let me know,

Hello @dan.woda,

Thank you for your reply.

What should we do when a access token is compromised and is still NOT expired? How so we invalidate it?

This is the importance of short lived tokens. Particularly when they are used in apps that could be more vulnerable to an attack, like a SPA. We have mandatory token expirations for this reason.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.