Invalidate backend session

I use React with Spring Boot as a Backend. To use Keycloak I added the “keycloak-spring-boot-starter” dependency. It’s working good, I can use my token to request things from it, but there is one problem. If I logout and my session in Keycloak is deleted, I can still use the token to request things from Spring Boot. It works until the token is not valid anymore (3 minutes). How can I make sure that the backend won’t accept the token anymore or ask Keyclaok again if it’s still valid?

That’s the nature of JWTs - they are “self-containing” and can be used until expired.

In case you want your session in your backend ist invalidated when logging out at Keycloak, use the admin-url configuration (see and scroll down to “Admin URL”.

To check in Keycloak if a token is still valid, you can use the token_introspection endpoint, this is part of the authorization services, somewhere in