Hi All,
Invalidate Previous Password Reset Links Upon Request for New Reset.
We’re encountering a security concern in our Keycloak implementation where multiple active password reset links pose a risk.
Upon sending multiple reset password requests, all previous links remain active, allowing users to reset their password using any of the previous links.
We want to invalidate previous password reset links when a new reset password request is made for the same user.
Could you advise on how to configure this in Keycloak or suggest an approach to achieve this security enhancement?
Thank You
This is not possible, because the sent links are not stored, the key in the link is a JWT and will be evaluated stateless. As long as the JWT ist valid/not expired, you can use it. 
If you really think this is a security risk (Keycloak is now 10 yrs old and really nobody should have seen it before!? really!?), create an issue or follow the guidelines of reporting security risks to the Keycloak project mentioned on the website.
Thank you very much, Sir,
Your explanation regarding the stateless evaluation of JWTs in Keycloak is incredibly helpful in understanding the current limitations.
I truly appreciate your expertise and guidance on this matter.
I will certainly consider following the guidelines for reporting potential security enhancements to the Keycloak project.
Thank you once again for your time and support.