This documentation is for WSO2 API Manager 2.6.0. View documentation for the latest release.

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Correct the audit table name


This cleanup is done within the product. It cleans up unused token related data during the runtime. This is an event-based cleaning where specific entries based on specific user actions are cleaned. For e.g., when an access token is revoked, this revoked token is taken from the access token table and put into the IDN_OAUTH2_ACCESS_TOKEN_AUDIT table. In addition to revoked tokens, inactive and expired tokens also accumulate in this table. This table is not used by the WSO2 API-M. These tokens are kept in the database for logging and audit purposes, but they can have a negative impact on the server's performance over time. Therefore, it is recommended to clean them.


From 2.6.0 onwards, WSO2 API Manager is configured by default to trigger token clean up during token generation, token refreshing, and token revocation. Therefore, when the state of the token (`TOKEN_STATE`) is changed during any of the latter mentioned processes for tokens that were in the `ACTIVE` state before, by default, such tokens will be removed from the IDN_OAUTH2_ACCESS_TOKEN table and stored in an audit table (IDN_OAUTH2_ACCESS_TOKEN_AUDIT). Thus you don't need to manually clean up the unused tokens as guided below from API-M 2.6.0 onwards.