Why the heck do I have all these refresh tokens?

I have this continuously growing list of refresh tokens on my profile. I believe they are created either on login or anytime HA is opened in a new window (can’t remember which). It doesn’t seem like they ever go away though, they just hang around indefinitely listed on my profile. I think if you log out it probably destroys the token but I never log out on my devices and I’m sure I’m not alone in that.

I don’t really know if there’s a security risk to having old refresh tokens around but it does bug me. Can HA start purging any refresh tokens that haven’t been used in 2 weeks or a month to keep this in check? If it hasn’t been used in a couple weeks its really unlikely to still be active anywhere. Or give me a way to delete them in bulk along with a bit more info about them (like what device name or user agent was used to create them).

Had an unfinished mockup for this additional info (icons, device/service names etc):

Also agree that it should be easier to clean up inactive login sessions, voted.

4 Likes

Would love the option to purge the old ones.

Sometimes I spend minutes hunting around for the Long-Lived Access Tokens section until I remember it’s underneath that long list of refresh ones.

4 Likes