I have this continuously growing list of refresh tokens on my profile. I believe they are created either on login or anytime HA is opened in a new window (can’t remember which). It doesn’t seem like they ever go away though, they just hang around indefinitely listed on my profile. I think if you log out it probably destroys the token but I never log out on my devices and I’m sure I’m not alone in that.
I don’t really know if there’s a security risk to having old refresh tokens around but it does bug me. Can HA start purging any refresh tokens that haven’t been used in 2 weeks or a month to keep this in check? If it hasn’t been used in a couple weeks its really unlikely to still be active anywhere. Or give me a way to delete them in bulk along with a bit more info about them (like what device name or user agent was used to create them).
