Auth0 Home Blog Docs

SPA+API access tokens still valid even after a logout

spaapi-access-token-

#1

So a question:
Let’s assume you implement https://auth0.com/docs/architecture-scenarios/application/spa-api.

  • Since this is an SPA we are storing the access token in local storage
  • So a user who digs around can locate these access tokens and store it
  • Then the user logs out.
  • However they can still make any call to backend APIs until the token expires

Isn’t this a fundamental problem? from a high level the user has logged out yet he/she is able to make API calls.

Thank you