JWT Refresh Token Revoke

JWT Refresh Token Revoke

This event is generated when a refresh token is revoked. The JSON includes either the User Id and User or the Application Id depending on what was revoked. It will also include the time to live duration (in seconds) for each Application. This value is used to determine if JWTs are valid or not based on their expiration instants.

The following scenarios will cause this event to be generated:

  • A single Refresh Token is revoked
  • All Refresh Tokens owned by a single User are revoked (if there is at least one valid Refresh Token for this User)
  • All Refresh Tokens owned by a single User for an Application are revoked
  • All Refresh Tokens for an Application are revoked
Event type
jwt.refresh-token.revoke

Event Scope

Prior to version 1.37.0 this was a tenant or application scoped event. It can be sent to all applications or to one or more specified applications.

The ability to limit the generation of an event for only certain applications is legacy functionality and is removed as of version 1.37.0. In earlier versions, you almost certainly want to enable this event at the tenant level and optionally filter on the tenantId when consuming the event.

In version 1.37.0 and later this is a tenant scoped event. It can be sent to all tenants or to one or more specified tenants. Those tenants will only be sent events related to their tenant. You can optionally also filter on the applicationId when consuming the event.

Transaction Compatibility

This event is transactional. The final state of the operation which caused the webhook is not persisted to FusionAuth until after the webhook finishes; learn more

Revoking Single Refresh Token

This example JSON would reflect a scenario where a single refresh token is revoked for a single user for a single application.

Event Body

event.applicationIdUUID

The unique Id of the Application for which the refresh token have been revoked.

event.applicationTimeToLiveInSecondsMap<UUID, Integer>

A map of Application Id to the configured time to live (TTL) for the access token (JWT). This can be used to identify the maximum amount of time after this event occurred where an un-expired access token may be held by a user.

If you take the createInstant of this event and add the number of seconds for a specific application TTL you come up with an instant in time where you should consider all access tokens issued before this time invalid. This is because the access token will have been issued on or before the instant the refresh token was revoked.

This map will contain a single entry for the application represented by the applicationId field.

event.createInstantLong

The instant that the event was generated.

event.idUUID

The unique Id of the event. You may receive an event more than once based upon your transaction settings. This Id may be used to identify a duplicate event.

event.info.dataObjectAvailable since 1.30.0

An object that can hold any information about the event that should be persisted.

event.info.deviceDescriptionStringAvailable since 1.30.0

The description of the device associated with the event.

event.info.deviceNameStringAvailable since 1.30.0

The device name associated with the event.

event.info.deviceTypeStringAvailable since 1.30.0

The type of device associated with the event.

event.info.ipAddressStringAvailable since 1.27.0

The source IP address of the event.

event.info.location.cityStringAvailable since 1.30.0

The city where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.countryStringAvailable since 1.30.0

The country where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.latitudeDoubleAvailable since 1.30.0

The latitude where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.longitudeDoubleAvailable since 1.30.0

The longitude where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.regionStringAvailable since 1.30.0

The geographic location where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.zipcodeStringAvailable since 1.30.0

The zip code where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.osStringAvailable since 1.30.0

The operating system associated with the event.

event.info.userAgentStringAvailable since 1.30.0

The user agent associated with the event.

event.refreshTokenObjectAvailable since 1.37.0

The refresh token being revoked. This is only returned when a single refresh token is revoked. See the JWT API for property definitions and example JSON.

event.tenantIdUUIDAvailable since 1.8.0

The unique tenant identifier. This value may not be returned if not applicable.

event.typeString

The event type, this value will always be jwt.refresh-token.revoke.

event.userIdUUID

The unique Id of the User for which a refresh token has been revoked.

event.userObjectAvailable since 1.8.0

The user for which a refresh token has been revoked. See the Users API for property definitions and example JSON.

Example Event JSON

{
  "event": {
    "applicationId": "21a8893c-51b3-4964-8a50-6afb66ee8acd",
    "applicationTimeToLiveInSeconds": {
      "21a8893c-51b3-4964-8a50-6afb66ee8acd": 600
    },
    "createInstant": 1505762615056,
    "id": "e502168a-b469-45d9-a079-fd45f83e0406",
    "info": {
      "ipAddress": "42.42.42.42",
      "location": {
        "city": "Denver",
        "country": "US",
        "displayString": "Denver, CO, US",
        "latitude": 39.77777,
        "longitude": -104.9191,
        "region": "CO"
      },
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
    },
    "refreshToken": {
      "applicationId": "21a8893c-51b3-4964-8a50-6afb66ee8acd",
      "id": "8b765761-5c7b-4f49-be88-af4eabcf4903",
      "insertInstant": 1505762505056,
      "metaData": {
        "device": {
          "lastAccessedAddress": "65.133.53.42",
          "lastAccessedInstant": 1675457978462,
          "name": "Richard's Hooli Phone",
          "type": "MOBILE"
        },
        "scopes": [
          "offline_access"
        ]
      },
      "startInstant": 1675457978462,
      "token": "ZxhAMC-Xr78DUnnuWhvADjUUXpMHUSGuahkA-EXAMPLE",
      "userId": "dfdbae16-4e65-42c2-9773-23dfd6f5671d"
    },
    "tenantId": "e872a880-b14f-6d62-c312-cb40f22af465",
    "type": "jwt.refresh-token.revoke",
    "userId": "dfdbae16-4e65-42c2-9773-23dfd6f5671d",
    "user": {
      "active": true,
      "email": "example@fusionauth.io",
      "id": "00000000-0000-0001-0000-000000000000",
      "passwordChangeRequired": false,
      "tenantId": "f24aca2b-ce4a-4dad-951a-c9d690e71415",
      "twoFactorEnabled": false,
      "usernameStatus": "ACTIVE",
      "verified": true
    }
  }
}

All User Refresh Tokens Revoked

This example JSON would reflect a scenario where all refresh tokens owned by a single user are revoked.

Event Body

event.applicationTimeToLiveInSecondsMap<UUID, Integer>

A map of Application Id to the configured time to live (TTL) for the access token (JWT). This can be used to identify the maximum amount of time after this event occurred where an un-expired access token may be held by a user.

If you take the createInstant of this event and add the number of seconds for a specific application TTL you come up with an instant in time where you should consider all access tokens issued before this time invalid. This is because the access token will have been issued on or before the instant the refresh token was revoked.

This map will contain a single entry for the application represented by the applicationId field.

event.createInstantLong

The instant that the event was generated.

event.idUUID

The unique Id of the event. You may receive an event more than once based upon your transaction settings. This Id may be used to identify a duplicate event.

event.info.dataObjectAvailable since 1.30.0

An object that can hold any information about the event that should be persisted.

event.info.deviceDescriptionStringAvailable since 1.30.0

The description of the device associated with the event.

event.info.deviceNameStringAvailable since 1.30.0

The device name associated with the event.

event.info.deviceTypeStringAvailable since 1.30.0

The type of device associated with the event.

event.info.ipAddressStringAvailable since 1.27.0

The source IP address of the event.

event.info.location.cityStringAvailable since 1.30.0

The city where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.countryStringAvailable since 1.30.0

The country where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.latitudeDoubleAvailable since 1.30.0

The latitude where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.longitudeDoubleAvailable since 1.30.0

The longitude where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.regionStringAvailable since 1.30.0

The geographic location where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.zipcodeStringAvailable since 1.30.0

The zip code where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.osStringAvailable since 1.30.0

The operating system associated with the event.

event.info.userAgentStringAvailable since 1.30.0

The user agent associated with the event.

event.tenantIdUUIDAvailable since 1.8.0

The unique tenant identifier. This value may not be returned if not applicable.

event.typeString

The event type, this value will always be jwt.refresh-token.revoke.

event.userIdUUID

The unique Id of the User for which a refresh token has been revoked.

event.userObjectAvailable since 1.8.0

The user for which a refresh token has been revoked. See the Users API for property definitions and example JSON.

Example Event JSON

{
  "event": {
    "applicationTimeToLiveInSeconds": {
      "21a8893c-51b3-4964-8a50-6afb66ee8acd": 600
    },
    "createInstant": 1505762615056,
    "id": "e502168a-b469-45d9-a079-fd45f83e0406",
    "info": {
      "ipAddress": "42.42.42.42",
      "location": {
        "city": "Denver",
        "country": "US",
        "displayString": "Denver, CO, US",
        "latitude": 39.77777,
        "longitude": -104.9191,
        "region": "CO"
      },
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
    },
    "tenantId": "e872a880-b14f-6d62-c312-cb40f22af465",
    "type": "jwt.refresh-token.revoke",
    "userId": "dfdbae16-4e65-42c2-9773-23dfd6f5671d",
    "user": {
      "active": true,
      "email": "example@fusionauth.io",
      "id": "00000000-0000-0001-0000-000000000000",
      "passwordChangeRequired": false,
      "twoFactorEnabled": false,
      "usernameStatus": "ACTIVE",
      "verified": true
    }
  }
}

All Applications Refresh Tokens Revoked

This example JSON would reflect a scenario where all refresh tokens issued for a specific application are revoked.

Event Body

event.applicationIdUUID

The unique Id of the Application for which all of the refresh tokens have been revoked.

event.applicationTimeToLiveInSecondsMap<UUID, Integer>

A map of Application Id to the configured time to live (TTL) for the access token (JWT). This can be used to identify the maximum amount of time after this event occurred where an un-expired access token may be held by a user.

If you take the createInstant of this event and add the number of seconds for a specific application TTL you come up with an instant in time where you should consider all access tokens issued before this time invalid. This is because the access token will have been issued on or before the instant the refresh token was revoked.

This map will contain a single entry for the application represented by the applicationId field.

event.createInstantLong

The instant that the event was generated.

event.idUUID

The unique Id of the event. You may receive an event more than once based upon your transaction settings. This Id may be used to identify a duplicate event.

event.info.dataObjectAvailable since 1.30.0

An object that can hold any information about the event that should be persisted.

event.info.deviceDescriptionStringAvailable since 1.30.0

The description of the device associated with the event.

event.info.deviceNameStringAvailable since 1.30.0

The device name associated with the event.

event.info.deviceTypeStringAvailable since 1.30.0

The type of device associated with the event.

event.info.ipAddressStringAvailable since 1.27.0

The source IP address of the event.

event.info.location.cityStringAvailable since 1.30.0

The city where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.countryStringAvailable since 1.30.0

The country where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.latitudeDoubleAvailable since 1.30.0

The latitude where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.longitudeDoubleAvailable since 1.30.0

The longitude where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.regionStringAvailable since 1.30.0

The geographic location where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.location.zipcodeStringAvailable since 1.30.0

The zip code where the event originated.

Note: An Enterprise plan is required to utilize event location data.

event.info.osStringAvailable since 1.30.0

The operating system associated with the event.

event.info.userAgentStringAvailable since 1.30.0

The user agent associated with the event.

event.tenantIdUUIDAvailable since 1.8.0

The unique tenant identifier. This value may not be returned if not applicable.

event.typeString

The event type, this value will always be jwt.refresh-token.revoke.

Example Event JSON

{
  "event": {
    "applicationId": "21a8893c-51b3-4964-8a50-6afb66ee8acd",
    "applicationTimeToLiveInSeconds": {
      "21a8893c-51b3-4964-8a50-6afb66ee8acd": 600
    },
    "createInstant": 1505762615056,
    "id": "e502168a-b469-45d9-a079-fd45f83e0406",
    "info": {
      "ipAddress": "42.42.42.42",
      "location": {
        "city": "Denver",
        "country": "US",
        "displayString": "Denver, CO, US",
        "latitude": 39.77777,
        "longitude": -104.9191,
        "region": "CO"
      },
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
    },
    "tenantId": "e872a880-b14f-6d62-c312-cb40f22af465",
    "type": "jwt.refresh-token.revoke"
  }
}