Manage Refresh Tokens with Auth0 Management API

Auth0 issues a refresh token as a credential artifact that your application can use to get a new access token without user interaction. This allows Auth0 to shorten the access token lifetime for security purposes without involving the user when the access token expires.

Management API endpoints

The Auth0 Management API provides endpoints to manage refresh tokens individually or as a collection.

These endpoints complement alternative refresh-token revocation, superseding the device-credentials resource endpoints with extended properties and bulk revocation operations.

Refresh Token resource

You can view or revoke a specific refresh token with the following endpoints:

Name URL Required scope(s)
View a refresh token information by ID GET /api/v2/refresh-tokens/{tokenId} read:refresh_tokens
Revoke a refresh token by ID DELETE /api/v2/refresh-tokens/{tokenId} delete:refresh_tokens

User resource

You can list or revoke all refresh tokens for a given user with the following endpoints:

Name URL Required scope(s)
List all refresh tokens for a user GET /api/v2/users/{userId}/refresh-tokens read:refresh_tokens
Revoke all refresh tokens for a user DELETE /api/v2/users/{userId}/refresh-tokens delete:refresh_tokens

Refresh token properties

The refresh token endpoints return relevant information about the token and its history.

Field Description
Refresh Token ID A unique and tenant-specific identifier of the refresh token in the API. It is not the token itself, which is a secret to exchange with the token endpoint in the authentication API.

Refresh tokens can outlive a session. The refresh token keeps this information regardless of the session lifecycle.
Session ID The session ID is a persistent identifier of the session in the Auth0 tenant. Note that the session ID corresponds to the sid claim already in ID Tokens and Logout Tokens and can be used to cross-reference these entities.

The refresh token contains references to the session that was used to create the token. The session ID can be used to retrieve additional information with the Management API introspect a specific session by ID endpoint.
Relevant Time Refresh token creation, and expiry information.
Client and Resource Servers Information Summary information about the applications and APIs bound to a refresh token.

Limitations 

  • Refresh token revocation (DELETE) operations run asynchronously, and are eventually consistent.

  • Refresh tokens issued on or after 21-09-2023 (22-02-2024 for tenants in the US-3 region) contain the session ID (session_id) property with the appropriate value. Refresh tokens issued before this date contain this property with a null value.

Learn more