FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can I revoke an access token in FusionAuth?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    1
    2
    863
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      I want to revoke an access token. Can I?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @dan
        last edited by dan

        No.

        You can't explicitly revoke an access token in FusionAuth. We don't support RFC 7009: https://www.rfc-editor.org/rfc/rfc7009.html and based on the number of upvotes for this, I don't know if the community wants us to: https://github.com/FusionAuth/fusionauth-issues/issues/201 But if you do, feel free to upvote that issue.

        If you want to have an access token become invalid, you have to manage it yourself. That is what is outlined in this article.

        The process is basically:

        • set up webhooks to fire to all the resource servers when a refresh token is invalidated (when the user logs out)
        • listen for that event, and when it occurs, record the user with the invalid token in the resource server (in redis, db, etc)
        • next time an access token is presented, verify that it is not for a user who has logged out

        If you want to handle the case where a user logs out, then logs back in quickly, then the time based logic in the Webhooks section here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts needs to be implemented.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post