Auth0 Home Blog Docs

Suggested way for mass deleting refresh tokens


As a last step to our migration to silent authentication, I’d like to invalidate/delete/revoke all refresh tokens that were previously used in our legacy auth0 based app. What’s the suggested way?

Our legacy auth0 SPA used refresh token as a way to renew tokens without having the user to enter credentials. Since we are migrating to hosted login page + silent auth, we do not need refresh tokens to be stored/used anymore in SPA.



There is a way to revoke refresh tokens via the Management API:


I cannot use that endpoint because I don’t have the refresh token, which is required, so I have to use the management API.

I was just wondering if the only/correct/suggested way is to enumerate each users, get all devices and delete each one one by one using its id of there is something better.



It seems that the endpoint previously mentioned is not even suitable, but I wanted to add that if I recall correctly using that endpoint will also revoke the user grant which means it’s not just the single refresh token that is sent that gets revoked so even if you have the token this may not be what you want to do.

Based on your description these would be refresh token associated with legacy methods so I believe that in order to cleanup the information in question the approach you describe through the API is the one available/suitable (as I’m not even counting doing this manually from the dashboard which also exposes the ability to clean this).


Thanks, I’ll write some batch procedure to delete all old refresh tokens from all users using the management api.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.