diff --git a/src/ejabberd_auth.erl b/src/ejabberd_auth.erl
index f29ccbb96..ecb102bb8 100644
--- a/src/ejabberd_auth.erl
+++ b/src/ejabberd_auth.erl
@@ -755,7 +755,7 @@ db_set_password(User, Server, PlainPassword, Passwords, Mod) ->
 		  end
 	  end,
     case Ret of
-	{ok, _} -> ok;
+	{ok, _} -> ejabberd_hooks:run(set_password, Server, [User, Server]);
 	{error, _} = Err -> Err
     end.
 
diff --git a/src/ejabberd_sm.erl b/src/ejabberd_sm.erl
index f12cd39e0..296452736 100644
--- a/src/ejabberd_sm.erl
+++ b/src/ejabberd_sm.erl
@@ -481,8 +481,10 @@ c2s_handle_info(#{lang := Lang, bind2_session_id := {Tag, _}} = State,
     {stop, ejabberd_c2s:send(State1, Err)};
 c2s_handle_info(State, {replaced_with_bind_tag, _}) ->
     State;
-c2s_handle_info(#{lang := Lang} = State, kick) ->
+c2s_handle_info(#{lang := Lang, jid := JID} = State, kick) ->
     Err = xmpp:serr_policy_violation(?T("has been kicked"), Lang),
+    ejabberd_hooks:run(sm_kick_user, JID#jid.lserver,
+                       [JID#jid.luser, JID#jid.lserver]),
     {stop, ejabberd_c2s:send(State, Err)};
 c2s_handle_info(#{lang := Lang} = State, {exit, Reason}) ->
     Err = xmpp:serr_conflict(Reason, Lang),
diff --git a/src/mod_auth_fast.erl b/src/mod_auth_fast.erl
index 0cad39b85..c26c21072 100644
--- a/src/mod_auth_fast.erl
+++ b/src/mod_auth_fast.erl
@@ -30,7 +30,7 @@
 -export([mod_doc/0]).
 %% Hooks
 -export([c2s_inline_features/2, c2s_handle_sasl2_inline/1,
-	 get_tokens/3, get_mechanisms/1]).
+	 get_tokens/3, get_mechanisms/1, remove_user_tokens/2]).
 
 -include_lib("xmpp/include/xmpp.hrl").
 -include_lib("xmpp/include/scram.hrl").
@@ -54,7 +54,10 @@ start(Host, Opts) ->
     Mod = gen_mod:db_mod(Opts, ?MODULE),
     Mod:init(Host, Opts),
     {ok, [{hook, c2s_inline_features, c2s_inline_features, 50},
-	  {hook, c2s_handle_sasl2_inline, c2s_handle_sasl2_inline, 10}]}.
+	  {hook, c2s_handle_sasl2_inline, c2s_handle_sasl2_inline, 10},
+	  {hook, set_password, remove_user_tokens, 50},
+	  {hook, sm_kick_user, remove_user_tokens, 50},
+	  {hook, remove_user, remove_user_tokens, 50}]}.
 
 -spec stop(binary()) -> ok.
 stop(_Host) ->
@@ -165,3 +168,10 @@ c2s_handle_sasl2_inline({#{server := Server, user := User, sasl2_ua_id := UA,
 	_ ->
 	    Acc
     end.
+
+-spec remove_user_tokens(binary(), binary()) -> ok.
+remove_user_tokens(User, Server) ->
+    LUser = jid:nodeprep(User),
+    LServer = jid:nameprep(Server),
+    Mod = gen_mod:db_mod(LServer, ?MODULE),
+    Mod:del_tokens(LServer, LUser).
diff --git a/src/mod_auth_fast_mnesia.erl b/src/mod_auth_fast_mnesia.erl
index 53337b390..081449b6e 100644
--- a/src/mod_auth_fast_mnesia.erl
+++ b/src/mod_auth_fast_mnesia.erl
@@ -28,12 +28,12 @@
 
 %% API
 -export([init/2]).
--export([get_tokens/3, del_token/4, set_token/6, rotate_token/3]).
+-export([get_tokens/3, del_token/4, del_tokens/2, set_token/6, rotate_token/3]).
 
 -include_lib("xmpp/include/xmpp.hrl").
 -include("logger.hrl").
 
--record(mod_auth_fast, {key = {<<"">>, <<"">>, <<"">>} :: {binary(), binary(), binary()} | '$1',
+-record(mod_auth_fast, {key = {<<"">>, <<"">>, <<"">>} :: {binary(), binary(), binary() | '_'} | '$1',
 			token = <<>> :: binary() | '_',
 			created_at = 0 :: non_neg_integer() | '_',
 			expires_at = 0 :: non_neg_integer() | '_'}).
@@ -94,6 +94,14 @@ del_token(LServer, LUser, UA, Type) ->
 	end,
     transaction(F).
 
+-spec del_tokens(binary(), binary()) -> ok | {error, atom()}.
+del_tokens(LServer, LUser) ->
+    F = fun() ->
+        Elements = mnesia:match_object(#mod_auth_fast{key = {LServer, LUser, '_'}, _ = '_'}),
+	[mnesia:delete_object(E) || E <- Elements]
+	end,
+    transaction(F).
+
 -spec set_token(binary(), binary(), binary(), current | next, binary(), non_neg_integer()) ->
     ok | {error, atom()}.
 set_token(LServer, LUser, UA, Type, Token, Expires) ->