Hi,
Under “Refresh Tokens” there are a lot of old tokens (up to 9 months old) yeah yeah … i know i should log out decently.
I’ve seen already i’m not alone in this 
Since deleting one by one is a drama, I think it’s about time to have a max. lifetime setting on it.
Makes sense since we have " Long-Lived Access Tokens" that last 10 years.
//Ton
Completely agree with @haston. I have the same issue. I’d prefer to be able to set the refresh token lifetime to something like 3 months - I’ve not come back using that client in 3 months, it’s unlikely I’m going to.
I have just finished the add-on “TokenRemover” for this exact issue. It takes ages to remove them by hand. The configuration is easy, just set the number of days and run the add-on. It will remove tokens older than the current date-time (+30 minutes), minus the set days. Devices of which the token has been removed, will need to re-authenticate.
Please take a look at the docs, which will explain how to install, configure, and use it. The add-on can be found here.
I’m curious about your opinion, so please let me know what your findings are.
@MennovH Nice job!!!
Hardly much more work than a “tokenlifetime” value in the yaml file.
It does exactly what I had in mind. THNX!
PS: After install, another browser refresh (in my case, refresh meant log out/in) was mandatory for the fields in the Configuration tab to show up.
Good to hear! I’m glad it works as it should 
Thanks for the feedback also. I noticed this too and I will add your comment to the instruction as a heads-up.
In the meanwhile, I have locked myself out a few times* while testing what would happen if I removed all of the “normal type” tokens. It appears so that the Companion App and/or perhaps the places where “Keep me logged in” was selected, keep(s) trying to re-authenticate with the already revoked token. Even though Home Assistant had already detected the token was not valid anymore and redirected me to the login page…
*Locking out behavior would require you to have Home Assistant setup with ip_ban_enabled: true with login_attempts_threshold: <number> configured.
With ip_ban configured, failing to properly authenticate more than set threshold, would result in a ban. So I have added an option to prevent active tokens to be removed if they reside within the user-defined number of days. With this option, the current session would more likely survive.
I also added an automatic check which restores the ip_bans.yaml file when changes have been detected within one minute after TokenRemover has run. When this restore triggers, the Home Assistant Core will restart once more to make this change “permanent”. This safety feature keeps the legit users out of the ban, without affecting the legit bans.