Posted On: Jun 10, 2021

By default, Amazon Cognito refresh tokens expire 30 days after a user signs in to a user pool. When you create an app, you can set the app's refresh token expiration to any value between 60 minutes and 10 years. Amazon Cognito now enables you to revoke refresh tokens in real time so that those refresh tokens cannot be used to generate additional access tokens.

Using targeted sign out, you have more fine-grained control over the user experience than you do with global sign out. For example, you may want to revoke the refresh token associated with a sign in on a previous device when a users signs in on a new device. Even when you want to keep the user signed in to multiple devices, you may want to revoke the refresh token associated with one of those devices if you notice suspicious behavior that may indicate fraud.

To learn more about Amazon Cognito, visit the documentation.