Manage Refresh Tokens with Auth0 Management API
The Auth0 Management API refresh token endpoints are currently in Early Access for Public Cloud deployment customers on Enterprise plans. Private Cloud deployment customers can request access via their Technical Account Manager (TAM). To learn more about Auth0 release stages, review Product Release Stages.
Auth0 issues a refresh token as a credential artifact that your application can use to get a new access token without user interaction. This allows Auth0 to shorten the access token lifetime for security purposes without involving the user when the access token expires.
Management API endpoints
The Auth0 Management API provides endpoints to manage refresh tokens individually or as a collection.
These endpoints complement alternative refresh-token revocation, superseding the device-credentials resource endpoints with extended properties and bulk revocation operations.
Refresh Token resource
You can view or revoke a specific refresh token with the following endpoints:
| Name | URL | Required scope(s) |
|---|---|---|
| View a refresh token information by ID | GET /api/v2/refresh-tokens/{tokenId} |
read:refresh_tokens |
| Revoke a refresh token by ID | DELETE /api/v2/refresh-tokens/{tokenId} |
delete:refresh_tokens |
User resource
You can list or revoke all refresh tokens for a given user with the following endpoints:
| Name | URL | Required scope(s) |
|---|---|---|
| List all refresh tokens for a user | GET /api/v2/users/{userId}/refresh-tokens |
read:refresh_tokens |
| Revoke all refresh tokens for a user | DELETE /api/v2/users/{userId}/refresh-tokens |
delete:refresh_tokens |
Refresh token properties
The refresh token endpoints return relevant information about the token and its history.
| Field | Description |
|---|---|
| Refresh Token ID | A unique and tenant-specific identifier of the refresh token in the API. It is not the token itself, which is a secret to exchange with the token endpoint in the authentication API. Refresh tokens can outlive a session. The refresh token keeps this information regardless of the session lifecycle. |
| Session ID | The session ID is a persistent identifier of the session in the Auth0 tenant. Note that the session ID corresponds to the sid claim already in ID Tokens and Logout Tokens and can be used to cross-reference these entities.The refresh token contains references to the session that was used to create the token. The session ID can be used to retrieve additional information with the Management API Introspect a specific session by ID endpoint. |
| Relevant Time | Refresh token creation, and expiry information. |
| Client and Resource Servers Information | Summary information about the applications and APIs bound to a refresh token. |
Limitations
Refresh token revocation (
DELETE) operations run asynchronously, and are eventually consistent.Refresh tokens issued on or after 21-09-2023 (22-02-2024 for tenants in the US-3 region) contain the session ID (
session_id) property with the appropriate value. Refresh tokens issued before this date contain this property with anullvalue.