Workflow API Login action access token delete


I have an API workflow which includes the ‘Log the user in’ action. This workflow returns an access token which is saved to each users User record. The access token is used by the user to authenticate subsequent requests to other API workflows. It’s included in the request header as a bearer token like this: Authorization: Bearer ACCESS_TOKEN. I see these tokens as API keys for app users

For clarity, I’m using the “– Create Sign up/Login API workflows” method described in the Bubble manual here

Workflow config:

Log the user in action config:

All works fine. However, if a user requires a new token, the old token should be deleted or otherwise cease to work. Unfortunately, old tokens remain valid. I can make requests using different tokens created by the same user.

If a token becomes compromised, access to the API will be possible even if a new token in created.

Is there a way to delete unwanted tokens so that only 1 token will be usable at any one time for each user or am I looking at this completely the wrong way?

Many thanks

Save new tokens the user in DB (overwriting old).
Requests to workflows include the token in the header (Authorization: Bearer ACCESS_TOKEN) and also in the body data too.
Start workflows with a ‘Terminate this workflow’ action including the conditional: Only When Request data’s body ACCESS_TOKEN is not current users ACCESS_TOKEN. Therefore old tokens will cause a false and the workflow will terminate!
Current user will work because the Header token is recognised by Bubble as being assigned to the user.
Old tokens are still valid as far a Bubble is concerned but they will not work if they are used in a request to a workflow.
I’d still like old tokens to be deleted!
It’s good practice to include a Return data from API action BEFORE the Terminate this workflow with a Message parameter informing the recipient of the error.