Can someone explain me why we revoke refresh token instead of simply delete them? I'm trying to understand in which case deletion could cause issue.
Asked
Active
Viewed 30 times
0
-
Deleting still leaves it "open" on the server side. Revoking removes it from the server side. Lets say you had an active token, and someone, somehow found it -- They can now use it to log in, even if you "delete" it from your storage. Revoking then deleting is always the safest option. – Zak Jun 06 '23 at 18:46