Authlete issues a new access token for each time when the same user grants authorization request from a client (i.e. authorization server calls Authlete's /auth/authorization/issue API with the same "subject" value).

By default, Authlete doesn't invalidate access tokens that are related to the user and have been issued before. Thus the client eventually has multiple valid access tokens at the same time.

In some environment, authorization server is required not to issue multiple valid access tokens in such a way. For Authlete to achieve this, it provides "Single Access Token Per Subject" option in Service Owner Console.

Once enabled, Authlete invalidates previous access tokens and refresh tokens associated with them in conjunction with issuing a new access token. It ensures the newest access token is the only valid one.