Skip to main content
You can revoke if they become compromised. Auth0 handles token revocation as though the token has been potentially exposed to malicious adversaries. Additionally, you may consider enabling refresh token rotation so that every time a client exchanges a refresh token to get a new access token, a new refresh token is also returned.

Choose whether token revocation deletes grants

A grant provides an application with access to a resource on another entity without exposing user credentials. Tokens are issued in the context of a grant. When a grant is revoked, so are all tokens issued in the context of that grant. However, when a token is revoked, the grant does not necessarily need to be revoked. You can choose whether token revocation deletes the associated grant in your tenant settings:
  1. Go to Dashboard > Tenant Settings > Advanced.
  2. In the Settings section. enable or disable the Refresh Token Revocation Deletes Grant toggle.
    • Enable the toggle to delete the underlying grant when you revoke the refresh token.
    Each revocation request invalidates all other tokens based on the same authorization grant, which revokes all refresh tokens that have been issued for the same user, application, and audience.
    • Disable the toggle to retain the underlying grant when you revoke the refresh token.
    When a device is unlinked, only the associated refresh token is revoked, leaving the grant intact.
This feature is disabled by default for all tenants created after 13 January 2021.

Revoke a refresh token

You can revoke a refresh token in the following ways:

Using the Auth0 Dashboard

You can use the Auth0 Dashboard to revoke a user’s authorized access to the application that issued the token. This renders the refresh token invalid, which is functionally identical to revoking the token itself.
  1. Go to Dashboard > User Management > Users, and select the name of the user to view.
  2. Select the Authorized Applications tab. This page lists all the applications to which the user has authorized access.
  3. To revoke the user’s access to an authorized application, and hence invalidate the refresh token, click Revoke.

Using the Authentication API

You can use the Authentication API’s Revoke a refresh token endpoint to revoke a refresh token. The endpoint supports access without the for applications that cannot keep the it safe (such as native apps). The application itself must have the its authentication method (tokenEndpointAuthMethod) set to none. When you make a request, the API first validates the application credentials and then verifies whether the token was issued to the application making the revocation request. If this validation fails, the request is refused, and the application is informed of the error. Next, the API invalidates the token. The invalidation takes place immediately, and the token cannot be used again after the revocation. Each revocation request invalidates all the tokens that have been issued for the same authorization grant. For more information, including body parameters, response schemas, and code examples, read the Revoke a refresh token endpoint Authentication API documentation.

Using the Management API device credentials endpoints

To revoke a refresh token using the Auth0 Management API device credentials endpoints:
  1. Get the id of the refresh token you want to revoke using the Retrieve device credentials endpoint. Specify type=refresh_token and a user_id with an access token containing the read:device_credentials scope. To narrow the results, you can also specify the client_id associated with the token (if known).
  2. Revoke the refresh token using the Delete a device credential endpoint. Specify an access token containing the delete:device_credentials scope and the refresh token ID.

Using the Management API refresh token endpoints

The Auth0 Management API refresh token endpoints are currently only available to customers on Enterprise plans. To learn more, read Pricing.
The Management API’s refresh token endpoints supercede the /v2/device-credentials resource endpoints with extended properties and bulk revocation operations. You can view or revoke a specific refresh token with the following endpoints:

Considerations and limitations

  • With the Device Authorization Flow, the only way to force a device to reauthorize is to revoke the refresh token assigned to the device. The device will not be forced to reauthorize until the current access token expires and the application tries to use the revoked refresh token. For more information, read Unlink Devices from Users.
  • When using Refresh Token Rotation, if a previously invalidated token is used, the entire set of refresh tokens issued since that invalidated token was issued will immediately be revoked, requiring the end-user to re-authenticate.
  • Refresh token revocation (DELETE) operations run asynchronously, and are eventually consistent.
  • Refresh tokens issued on or after 21-09-2023 (22-02-2024 for tenants in the US-3 region) contain the session ID (session_id) property with the appropriate value. Refresh tokens issued before this date contain this property with a null value.
To learn more about refresh tokens limitations, read Refresh Tokens limitations.