I’m working on a multi-tenant FusionAuth setup where each tenant has its own applications and signing keys. Everything works fine for login and access tokens, but I’m running into problems with refresh token revocation.
Tenant A and Tenant B both issue refresh tokens with custom JWT signing (ES256).
When I revoke a refresh token in Tenant A, sometimes the access token issued by Tenant B (with the same userId but different client) is also invalidated.
I’ve checked that tenants use separate signing keys, but FusionAuth seems to still treat the session globally.
How can I isolate refresh token/session revocation strictly per-tenant?
This feels like a misconfiguration on my end, but I can’t figure out what setting controls tenant-specific revocation.