Refresh Token Revocation

Sessions
Sep 10, 2025
Overview

How to invalidate a user session on Auth0 native apps after a password reset on the web app by revoking refresh tokens with the Management API so the user is logged out.

Applies To
  • Refresh Token
  • Management API
Solution
Follow the steps below to remove the offline_access grant for the user.
  1. Call GET /api/v2/grants?user_id=<user_id>
  2. Call DELETE /api/v2/grants/{id?} with the chosen grant id. 
Note: Deleting a grant will automatically delete a device credential as well. This approach deletes the user's consent together with the Refresh Token.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community