Configuring Outdated Refresh Token Life Time

Edit on GitHub

Refresh tokens generated when accessing Glue REST API expire after a certain period of time. In addition to that, they can be forcibly revoked at any time. No matter how a token becomes invalidated, it is set to expire but remains in the Storage.

For security reasons and to reduce the database storage space, it is recommended to delete outdated refresh tokens once they are expired. There are two ways how tokens can be removed from the Storage:

  • automatically on a schedule,
  • manually.

To configure the time during which an outdated refresh token is stored:

  1. Extend the Spryker\Shared\Oauth\OauthConfig class on your project level.
  2. Configure the time interval for the job via the Spryker\Shared\Oauth\OauthConfig::getRefreshTokenRetentionInterval() method.

After configuring the token lifetime, invalidated tokens will be deleted automatically by a Cron job once their storage time expires.


If necessary, you can delete invalidated refresh tokens with expired storage time manually at any time. To do so, run the following console command:

vendor/bin/console oauth:refresh-token:remove-expired