Ban / Unban
Banning a user immediately invalidates all their tokens and prevents them from logging in.
Ban a User
Section titled “Ban a User”await auth.ban_user(user_id)await auth.ban_user(user_id)This does three things atomically:
- Sets
banned=Trueon the user record - Bumps the
token_version— all existing access tokens are rejected - Revokes all refresh tokens — no new access tokens can be issued
The user is locked out immediately, even if they have a valid access token.
Unban a User
Section titled “Unban a User”await auth.unban_user(user_id)await auth.unban_user(user_id)Sets banned=False. The user can log in again.
Banned User Behavior
Section titled “Banned User Behavior”| Action | Result |
|---|---|
| Login (email/password) | 403 Forbidden |
| Login (OAuth) | 403 Forbidden |
| Refresh token | Rejected |
| Access token | Rejected (token version mismatch) |
| Introspection | Returns active: false |
How Instant Invalidation Works
Section titled “How Instant Invalidation Works”Access tokens are stateless JWTs — the server doesn’t check the database on every request. So how does banning work instantly?
Each access token contains a ver (token version) claim. When a user is banned, their token_version in the database is bumped. Any token with an older version is rejected.
For microservices using authfort-service with JWKS-only verification (no introspection), the ban takes effect when the access token expires (default: 15 minutes). To get instant invalidation in microservices, enable introspection.
Events
Section titled “Events”Emits user_banned and user_unbanned events. See Events & Hooks for all events and their payloads.