Authlete issues a new access token for each time when the same user grants authorization request from a client (i.e. authorization server calls Authlete's /auth/authorization/issue API with the same "subject" value).

By default, Authlete doesn't invalidate tokens that are related to the user and have been issued before. Thus the client eventually has multiple valid tokens at the same time.

In some environment, authorization server is required not to issue multiple valid tokens in such a way. For Authlete to achieve this, it provides "Single Access Token Per Subject" option is Service Owner Console.

Once enabled, Authlete invalidates previous tokens in conjunction with issuing a new token. It ensures the newest token is the only valid one.