When I run $user->currentAccessToken()->delete();
the token expires, Auth::check()
becomes false
, what it is expected.
However, when I go to the personal_access_tokens
table, the token is still there. There is no soft delete field. How does Sanctum now that the token is expired?
You can set in config/sanctum.php array node expiration
/*
|--------------------------------------------------------------------------
| Expiration Minutes
|--------------------------------------------------------------------------
|
| This value controls the number of minutes until an issued token will be
| considered expired. If this value is null, personal access tokens do
| not expire. This won't tweak the lifetime of first-party sessions.
|
*/
'expiration' => 60 * 24 * 7,