Auth0 Home Blog Docs

SPA+API access tokens still valid even after a logout



So a question:
Let’s assume you implement

  • Since this is an SPA we are storing the access token in local storage
  • So a user who digs around can locate these access tokens and store it
  • Then the user logs out.
  • However they can still make any call to backend APIs until the token expires

Isn’t this a fundamental problem? from a high level the user has logged out yet he/she is able to make API calls.

Thank you