Enabling single access token per subject

Single Access Token Per Subject

By default, Authlete issues a new access token each time the same user grants an authorization request from a client. This happens when the authorization server calls Authlete’s /auth/authorization/issue API with the same subject value.

However, by default, Authlete does not invalidate previously issued access tokens associated with the same user. As a result, the client may hold multiple valid access tokens for the same user at the same time.

Runtime Behaviour

single-access-token-per-subject

In some environment, authorization server is required not to issue multiple valid access tokens in such a way. For Authlete to achieve this, it provides Single Access Token Per Subject option.

Authlete Configuration

To enable Single Access Token Per Subject, follow these steps:

  1. Log in to the Authlete Management Console.
  2. Navigate to Service Settings > Tokens and Claims > Access Tokens.
  3. Locate the Enable Single Token Per Subject option under the General section.
  4. Toggle the switch to enable this option (as shown in the screenshot below).
  5. Click Save Changes to apply the configuration.

Once enabled, Authlete will automatically invalidate any previously issued access tokens and their associated refresh tokens for the same subject when issuing a new access token.