Removing Unused Tokens from the Database


From 2.6.0 onwards, WSO2 API Manager is configured by default to trigger token clean up during token generation, token refreshing and token revocation. Therefore, when the state of the token (TOKEN_STATE) is changed during any of the latter mentioned processes for tokens that were in the ACTIVE state before, by default, such tokens will be removed from the IDN_OAUTH2_ACCESS_TOKEN table and stored in an audit table. Thus you don't need to manually cleanup the unused tokens as guided below from API-M 2.6.0 onwards.

As you use WSO2 API Manager, the number of revoked, inactive and expired tokens accumulate in the IDN_OAUTH2_ACCESS_TOKEN table. These tokens are kept in the database for logging and audit purposes, but they can have a negative impact on the server's performance over time. Therefore, it is recommended to clean them.

The following methods can be used for token cleanup:

Configuring API Manager for token cleanup

WSO2 API Manager triggers token cleanup during the following instances.

  • Token generation
  • Token refresh
  • Token revocation


This cleanup procedure is enabled by default. In this scenario Inactive, Revoked, Expired tokens will be cleaned. If you disabled this procedure and after some time you want to enable this cleanup procedure it is better to clean the access token table using script provided and enable the feature.

To enable or disable token cleanup, open the <API-M_HOME>/repository/conf/deployment.toml file and do the following changes.(add the configuration if not exists in the deployment.toml file)

enable = true
retain_access_tokens_for_auditing = true
Property Description
enable Set this property to true to enable token cleanup. Set it to false to disable token cleanup.
retain_access_tokens_for_auditing Set this property to true to move the old, invalid tokens to the Audit table when token cleaning is enabled.Set it to false if you do not wish to store old tokens in the Audit table.

Using stored procedures for token cleanup

Alternatively, you can also use the stored procedures provided below, to run a token cleanup task periodically to remove the old and invalid tokens.


It is safe to run these steps in read-only mode or during a time when traffic on the server is low, but that is not mandatory.

  1. Take a backup of the running database.
  2. Set up the database dump in a test environment and test it for any issues.

    For more information on setting up a database dump, go to the MySQL , SQL Server , and Oracle official documentation.


We recommend you to test the database dump before the cleanup task as the cleanup can take some time.

  1. Depending on your database, select the appropriate token cleanup script from here and run it on the database dump. This takes a backup of the necessary tables, turns off SQL updates and cleans the database of unused tokens.

  2. Once the cleanup is over, start the API Manager pointing to the cleaned-up database dump and test thoroughly for any issues. You can also schedule a cleanup task that will automatically run after a given period of time. Here's an example:

Schedule task for MySQL

DROP EVENT IF EXISTS 'cleanup_tokens_event';
CREATE EVENT 'cleanup_tokens_event'
        EVERY 1 WEEK STARTS '2018-01-01 00:00.00'
        CALL 'WSO2AM_DB'.'cleanup_tokens'();
-- 'Turn on the event_scheduler'
SET GLOBAL event_scheduler = ON;

Schedule task for SQL Server

-- Creates a schedule named CleanupTask.   
-- Jobs that use this schedule execute every day when the time on the server is 01:00.   
EXEC sp_add_schedule  
    @schedule_name = N'CleanupTask' ,  
    @freq_type = 4,  
    @freq_interval = 1,  
    @active_start_time = 010000 ;  
-- attaches the schedule to the job BackupDatabase  
EXEC sp_attach_schedule  
    @job_name = N'BackupDatabase',  
    @schedule_name = N'CleanupTask' ;  

Replace WSO2AM_DB with the name of your API Manager database in the above script.