Refresh Token management

Hi,
we are developing a SaaS service and we would like to implement a management of users’ API tokens. These tokens will be used by our users to authorize 3th party tools to access our API.
The goal is provide a functionality to create, revoke and see last usage of all user’s API tokens.

From Okta APIs seems to be best use this flow: Get a refresh token | Okta Developer
and really, we are able to generate and API token (refresh) token for our users.

Well, I have not found any useful Okta APIs for API token management. How to show a list of active tokens for current user? How to revoke a selected refresh token? How to get a last usage of a token?

I want to prevent storing refresh tokens in my database for security reasons. Could you suggest me how implement my usecases?

Thanks!
Jiri

It looks like you can use this API endpoint keep track of refresh tokens issued based on the userId and clientId. Users | Okta Developer You can also use it to revoke the refresh token if you don’t have the actual refresh token. Otherwise, it can be done with the /revoke endpoint (Revoke an access token or a refresh token | Okta Developer)

However, I don’t think there is a workaround to avoid storing the refresh tokens since they can be used for a while.

1 Like

Many thanks @warren. The manament API Users | Okta Developer is exactly what I was looking for!

I can list tokens per user and revoke them without knowing the refresh token.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.