Does Cognito's RevokeToken API call invalidate Access Tokens and/or Id Tokens and/or Refresh Tokens?


The documentation for Amazon Cognito RevokeToken says:

Revokes all of the access tokens generated by the specified refresh token. After the token is revoked, you can't use the revoked token to access Amazon Cognito authenticated APIs. (emphasis added)

The documentation also says:

   "ClientId": "string",
   "ClientSecret": "string",
   "Token": "string"

The refresh token that you want to revoke.

Does this mean that the Refresh Token is revoked? Or that the Access Tokens and/or ID Tokens generated by a specific Refresh Token are revoked?

1 Answer

Suppose an user has logged in at 1 AM and Cognito has returned access, ID and refresh tokens after the user sign-in. If you call the RevokeToken API with that refresh token, then the initially issued access and ID tokens, the refresh token, and all access and ID tokens which were issued using that refresh token will be revoked.

Note: Only Cognito service is aware of the token revocation when you revoke token using RevokeToken API. However, your resource server will treat the token as valid until the token's expiry time breach. You may call GetUser API of Cognito to check whether a token is revoked or not. However, please consider the limit per second on number of GetUser API [1].


answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions