Cascade Token and Session Revocation for Native to Web SSO is Now Available — Auth0 Changelog

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

enable_cascade_revocation
When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.
enable_online_refresh_tokens
When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

All clients using Native to Web SSO today already benefit from cascade revocation.
Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

Prevents misuse of refresh tokens after logout or revocation
Reduces risk from long-lived sessions in embedded web views
Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation