How to invalidate 'expired' Firebase Instance ID Token

Keeping your token registry up to date requires two steps:

  1. Remove outdated tokens from your application code.
  2. Check for outdated tokens and remove them when you send messages.

Your approach of removing a token that is no longer used, is #1.

The second step though is to remove tokens from your registry/database when you get a messaging/invalid-registration-token or messaging/registration-token-not-registered response when trying to send a message to it. The functions-samples repo contains a great example of this:

admin.messaging().sendToDevice(tokens, payload).then((response) => {
  // For each message check if there was an error.
  const tokensToRemove = [];
  response.results.forEach((result, index) => {
    const error = result.error;
    if (error) {
      console.error('Failure sending notification to', tokens[index], error);
      // Cleanup the tokens who are not registered anymore.
      if (error.code === 'messaging/invalid-registration-token' ||
          error.code === 'messaging/registration-token-not-registered') {
        // TODO: remove the token from your registry/database
      }
    }
  });
});

The above code uses the Firebase Admin SDK for Node.js, but the same logic could also be applied to other platforms or when sending messages through the HTTPS endpoints.