well, not in built to supertokens, but you can always modify that user's access token payload to indicate that they should be blocked until some expiry time. And then post session verification, you can check if that time has passed, if not, return an unauthorised error (non 401 status code), else let the API run. When you modify the access token's payload (in offline mode), it will take sometime to propogate that change to the user's session (depending on access token's lifetime). But if you want it to happen immediately, cache the fact that you changed the access token for that user and check for it in your APIs. When that user uses the app, and the API checks if their access token has been changed, then you can send a 401 to them forcing a session refresh. The session refresh will update their access token's payload to have the fact that they are blocked and they will loose access immediately.