Deleting expired refresh tokens

Last updated: February 3, 2021

Edit on GitHub

You are browsing a previous version of the document. The latest version is 202204.0.

After an authentication refresh token is revoked or expires, it remains in the database.

For security reasons and to reduce the database storage space, we recommend deleting the tokens by setting their liftime. Once they have a lifetime, you can configure a cron job to delete them automatically or do it manually.

To configure the lifetime of refresh tokens, extend the Spryker\Shared\Oauth\OauthConfig class on a project level.

To configure the cron job to delete the tokens with expired lifetime, configure the time interval for the job via the Spryker\Shared\Oauth\OauthConfig::getRefreshTokenRetentionInterval() method.

To delete the tokens with expired lifetime manually, run the command:

vendor/bin/console oauth:refresh-token:remove-expired

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.

Deleting expired refresh tokens

Thank you!