Deleting expired refresh tokens

Edit on GitHub

After an authentication refresh token is revoked or expires, it remains in the database.

For security reasons and to reduce the database storage space, we recommend deleting the tokens by setting their lifetime. Once they have a lifetime, you can configure a cron job to delete them automatically or do it manually.

To configure the lifetime of refresh tokens, extend the Spryker\Shared\Oauth\OauthConfig class on a project level.

To configure the cron job to delete the tokens with expired lifetime, configure the time interval for the job via the Spryker\Shared\Oauth\OauthConfig::getRefreshTokenRetentionInterval() method.

To delete the tokens with expired lifetime manually, run the command:

vendor/bin/console oauth:refresh-token:remove-expired