@oliver-muthusami hmmm. I did some poking around Microsoft's documentation and found this.

The inclusion of the refresh token in the response can depend on several factors, including the specific configuration of your application and the scopes requested during the authorization process. If you expect to receive a refresh token in the response but fail to, consider the following factors: Scope requirements: Ensure that you're requesting the offline_access scopes along with any other necessary scopes. Authorization grant type: The refresh token is provided when using the authorization code grant type. If your flow differs, the response can be affected. Client configuration: Check your application's settings in the identity platform. Certain configurations may restrict the issuance of refresh_tokens.

Are you sure you have Entra configured correctly?

@rachel-flatt It is odd that you do not see the page. Are you an admin user? Can you post a screenshot with what you do see? (Please be sure to redact secrets and private information)

@dalamenona I see your point about the Database_primary_pool_MaxConnections being set to 20 on the value for usage being reported above that. Browsing around the web, I came across something that said Database_primary_pool_Usage is over the lifetime of the application, but can't seem to find the source now. You also make a valid point about around the other data defenitions. It may make sense to do a deeper dive into HikariCP sources in general. There may be some answers there.

Anyone here familiar with these numbers?

It may also make sense for you to open an issue with FusionAuth as it is not clear to me if these numbers are coming from FusionAuth or HikariCP.

There are a couple of overlapping layers here.

Access tokens aren’t revocable by default
Access tokens (JWTs) are self-contained. Once issued, they remain valid until they expire unless you implement a custom revocation strategy (such as token blacklisting). FusionAuth covers one approach here:
https://fusionauth.io/articles/tokens/revoking-jwts
So if your access token lifetime is 600 seconds, a disabled user could continue to access APIs until that token expires (up to ~10 minutes) unless you add an additional revocation layer.

FusionAuth sessions are typically independent from the IdP
Once the upstream IdP authenticates the user, FusionAuth generally maintains its own session state. If a user is disabled in the upstream IdP, that does not automatically invalidate FusionAuth sessions or prevent refresh token usage.
So yes, depending on your implementation, a user can potentially continue to operate in FusionAuth even if they are disabled upstream, until you either:

expire/stop honoring their tokens, or remove/disable the user in FusionAuth, or enforce additional checks at login/session refresh time.

Options to meet “disabled within 300 seconds” for one customer
If you need disablement to take effect quickly without shortening sessions for everyone, you generally need an integration that pushes the disablement signal into FusionAuth (or into your resource servers).

A. SCIM (best fit when the customer maps cleanly to a tenant)
If your customer can be logically isolated (e.g., “customer A users live in tenant A”), SCIM is a strong option. The customer’s IdP can provision/deprovision users into FusionAuth, and a disable/delete action can remove their FusionAuth access (including sessions). This is the cleanest approach when tenant segmentation is possible.

B. Event-driven deprovisioning (IdP → your service → FusionAuth API)
If the customer’s IdP can emit events (user disabled/deprovisioned), you can build a lightweight integration that:

receives the IdP event, then disables or deletes the corresponding user in FusionAuth via API.

Once the user is disabled/deleted in FusionAuth, they won’t be able to continue normal authentication flows.

C. Token revocation strategy (resource server enforcement)
If the requirement is “deny access within 300 seconds,” the most deterministic way is to enforce it at the API/resource-server layer by:

using short access-token lifetimes (<= 300 seconds), and/or adding token blacklisting / introspection-style checks in your APIs.

This avoids relying on refresh token expiration to enforce disablement.

About limiting refresh token lifetime per customer

A reconcile lambda can help with user provisioning and claims, but it won’t reliably solve the core issue of existing sessions and refresh tokens already issued. There isn’t a simple “per-customer refresh token TTL override” you can apply after the fact without an architectural approach like the ones above.

At this time, FusionAuth does not support changing WantAssertionsSigned to true in the generated SAML metadata. This value is hard-coded and cannot be modified through IdP configuration or other settings.

From a practical standpoint, this should not impact security or standards compliance. FusionAuth signs the entire SAML response using the verification key configured in the IdP. Since the assertion is part of the signed response, signing the assertion itself would be redundant and is not required by the SAML specification.

If your client strictly requires WantAssertionsSigned="true" due to a non-standard or legacy implementation, this would need to be addressed on the Service Provider side, as FusionAuth cannot currently emit metadata with that value set to true.

@brad sounds super frustrating.

I'll send you a message.

You’re correct—there is no fixed limit on the number of hosted FusionAuth instances you can have.
However, since your account is on invoiced billing, new hosted deployments cannot be created directly through the Account Portal. That functionality is only available for self-serve billing accounts.

Next Steps

Our Customer Success team will reach out to you via email. They’ll help provision the additional non-production instances and add them to your existing order.

Once that’s complete, you’ll have access to the new hosted deployments without needing to manage them through the portal yourself.

Yes, you can mix API clients and end-user logins within the same tenant. Tenant-level controls such as MFA do not prevent this when the authentication flows are properly separated.

Recommended Approach: Use Entities for API Clients

The most common and recommended pattern is to use Entities for API authentication:

End users authenticate using the Authorization Code grant, which can enforce MFA and other user-facing security requirements. API clients authenticate using the Client Credentials grant via Entities. Because these are different OAuth grants and flows, tenant-level requirements like MFA apply to users but do not apply to API clients using client credentials.

This allows both authentication types to coexist cleanly within the same tenant while maintaining appropriate security boundaries.

Cost and Licensing

There are no additional licensing or cost implications for using this approach:

Entities and the Client Credentials flow are included in FusionAuth plans. API clients authenticated via Entities do not count as end users for MAU-based billing.

Additional Resources

These resources provide detailed guidance and examples:

API Authorization with FusionAuth Entity Management Concepts Using Entities for API Authorization (Video)

This setup is widely used and should cover your use case well.

@dalamenona This error is coming from Prometheus right? Is there a way to get it to tell you which metric is being reported? If not, could you set up a network monitor and capture the traffic that is being sent to narrow down the metric being sent by FusionAuth that is causing the problem? Maybe then we can look into why FusionAuth is sending the conflicting data.

I just did a search on 1.61.0 in the Admin UI and my results were sortable by the name. Can you give us the exact query you used to use the search API and the search you used in the search bar? I am curious to see if that returns something different.

@marcel-beutner If you have found a bug, you may want to report it using the FusionAuth Issues.

Hi there, I'm working on the same project. And since this forum post, the error did not occur again for about a month and has recently occurred 3 times in the last week.
The instance is a fusionauth instance.
(auth.*.ch is a CNAME (alias) for bnjmvfriojf0pzpzhtmmz6xf2sgl6b.durable.fusionauth.io)

The access where the error occurs was via browser (firefox to be exact if sentry is to be believed).

There are no recent changes to the CORS config.

For most of our users this does not seem to be an issue. It happens very isolated for a handful of users.