Access Token, Refresh token, and Refresh Token Rotation

Thanks for the comment and for pointing that out, how should token be handled without using third-party solutions?

mathew adetunji Hi. Generally speaking, the safest way to invalidate tokens is by demanding a specific minimum issued at time.

I explain the logic behind this invalidation method here. This can be refined to apply to refresh tokens only, if you wish, or invalidating per token type.

You'll also see alternative 1 that tells you to key the tokens. Then you can more safely save token keys, not tokens. I discourage this path, though, because of the extra administrative work around maintaining the keys.