Table of Contents
By default, Authlete issues a new access token each time the same user grants an authorization request from a client. This happens when the authorization server calls Authlete’s /auth/authorization/issue API with the same subject
value.
However, by default, Authlete does not invalidate previously issued access tokens associated with the same user. As a result, the client may hold multiple valid access tokens for the same user at the same time.
In some environment, authorization server is required not to issue multiple valid access tokens in such a way. For Authlete to achieve this, it provides Single Access Token Per Subject option.
To enable Single Access Token Per Subject, follow these steps:
Once enabled, Authlete will automatically invalidate any previously issued access tokens and their associated refresh tokens for the same subject when issuing a new access token.