app/stories/admin/ADM-007-blocklist-management.md

Manage JWT Blocklist

ID: ADM-007 Priority: Medium Status: Planned

User Story

As a platform administrator, I want to view and manage the JWT blocklist so that I can revoke tokens during security incidents and verify that revocations are working.

Acceptance Criteria

• View all blocked JWT IDs with metadata
• Search blocklist by JWT ID or user
• Manually add JWTs to blocklist
• View reason for each blocklist entry
• Blocklist entries show expiration (when they can be removed)
• Bulk revoke all tokens for a user
• Bulk revoke all tokens for an organization
• Automatic cleanup of expired blocklist entries

Technical Notes

• JwtManager has blockedJwtIdList infrastructure
• pushOrGetJwtIdBlocklist endpoint exists
• Need admin UI for blocklist management
• ReceptionHousekeeping could handle cleanup
• Consider Redis for high-performance blocklist checks

Related TODOs

• Enhancement to existing blocklist infrastructure