Problem
The pr_data_token table stores OAuth and OpenID Connect (OIDC) authentication token data that is used to manage secure access to your application. These tokens are created and refreshed automatically as you sign in and interact with the system/application.
In some client environments, expired token records accumulate faster than the platform's default cleanup process can remove them. As a result, the pr_data_token table grows steadily over time and can grow significantly beyond expected operational thresholds and limits.
If not addressed, excessive table growth can increase the risk of performance degradation.
Symptoms
One or more environments experience significant growth of the pr_data_token table. As the table grows, you may observe:
- Increased database storage consumption
- Larger-than-expected volumes of OAuth/OIDC token records
- Risk of application or database performance degradation
- Expired token records accumulating faster than the default cleanup process can remove them
Impact
When expired token records accumulate faster than they are removed, the pr_data_token table can continue to grow significantly over time. Excessive table growth increases the risk of:
- Application performance degradation
- Database performance degradation
- Increased storage consumption
- Additional operational overhead effort to manage oversized tables
Root Cause
Growth of the pr_data_token table occurs because token generation exceeds token cleanup capacity. The factors contributing to the excessive table growth include:
- Constellation application authentication activity
- OAuth 2.0 connector usage
- OIDC-based authentication patterns
- Application-specific authentication token generation pattern behavior
During authentication, new tokens are continuously created as users sign in and tokens are refreshed. However, the default cleanup process removes only a limited number of expired tokens during each execution. Over time, this imbalance can result in significant accumulation of expired token records.
To ensure ongoing table maintenance and hygiene and help prevent recurrence, implement the following remediation and preventive measures.
Resolution
One-time cleanup
To reduce the size of the pr_data_token table, perform a one-time cleanup/purge of expired token records. For Pega Cloud environments, coordinate with Pega Cloud Operations to perform the purge through a Cloud Change (CC) request during a planned maintenance window. Doing this ensures that active end users are not impacted.
Review OAuth token settings
For Constellation applications:
- Review the OAuth2 Client Registration rule form.
- Validate access-token lifetime settings are defined correctly.
- Validate refresh-token lifetime settings are defined correctly.
- Ensure values align with business requirements and application usage requirements.
Proper token lifetime configuration helps reduce unnecessary token accumulation.
Increase token cleanup capacity
Configure the following Dynamic System Settings (DSS) in the Pega-IntegrationEngine ruleset, to increase the cleanup capacity and prevent recurrence.
| Purpose | Value |
|---|---|
| OAuth2/ExpiredTokenCleanUp | 1 |
| OAuth2/ExpiredTokenCleanUp/maxrecords | 10000 or higher, based on the environment's daily token insertion rate |
Additional Information
How to identify environments at risk
Environments may require investigation if:
- The pr_data_token table continues to grow over time.
- Large numbers of expired OAuth/OIDC tokens are present.
- Token insertion rates significantly exceed cleanup rates.
Permanent product improvement
A product enhancement is being targeted in a future patch release to address this issue more comprehensively.
Until the enhancement becomes available, implement the cleanup and preventive measures described in this article.
Getting help
If you require assistance:
- Open a Support case through My Support Portal.
- For Pega Cloud environments, work with Pega Cloud Operations to coordinate any required Cloud Change activities.