FAQs
To revoke a refresh token, send a POST request to https://{yourDomain}/oauth/revoke . The /oauth/revoke endpoint revokes the entire grant, not just a specific token. Use the /api/v2/device-credentials endpoint to revoke refresh tokens.
What is a token revocation? ›
Token revocation is a mechanism that enables an app to invalidate authentication tokens.
Can an ID token be revoked? ›
Once issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions. As a result, tokens should be issued for relatively short periods, and then refreshed periodically if the user remains active.
Should I revoke refresh token on logout? ›
Yes, when a user logs out, the refresh token should be invalidated automatically.
How do I revoke my token allowance? ›
Open Settings. Select Token Allowances. Select the token allowance you'd like to revoke by clicking Revoke. Note that there is a network fee for revoking allowances.
How do I invalidate my access token after logout? ›
There is no way to invalidate them since they are bearer tokens. If the token is used for accessing sensitive resources, Auth0 recommends using a short access token lifetime to mitigate the risk of someone copying a token and then logging out.
What is the revocation rule? ›
Revoking an Offer
This means that if you make an offer and the other party wants some time to think it through, or makes a counteroffer with changed terms, you can revoke your original offer. Once the other party accepts, however, you'll have a binding agreement. Revocation must happen before acceptance.
How do I revoke API token? ›
To revoke one API token:
- Go to admin.atlassian.com. Select your organization if you have more than one.
- Select Security > User API tokens.
- Select Revoke for the API token.
Can a token be deleted? ›
Deleting a token marks a token as deleted, though it will remain in the ledger. The operation must be signed by the specified Admin Key of the Token. If the Admin Key is not set, the Transaction will result in TOKEN_IS_IMMUTABlE.
Can access tokens be invalidated? ›
Token Revocation Mechanism
Another way to manage access tokens is by revoking them when they are no longer needed or when they are compromised. Token revocation is the process of invalidating a token before it expires, thereby preventing it from being used to access protected resources.
To revoke an access token, specify type accesstoken. To revoke both the access and refresh tokens, specify type refreshtoken. When it sees type refreshtoken, Edge assumes the token is a refresh token. If that refresh token is found, then it is revoked.
Are access tokens still valid after logout? ›
Currently, access tokens are valid until they expire regardless of the fact of the user may log out. In terms of security, invalidating access tokens right after the user logs out would reduce the window of opportunity for an attack.
What happens when a token is revoked? ›
Understanding token revocation
A typical case might be when a user logs out of an OAuth-enabled app. A revoked token will no longer be useful for authorization. After a token has been revoked, if an app presents that token to an API proxy, an OAuthV2 policy with an Operation of VerifyAccessToken will reject that token.
How do I revoke a user access token? ›
Note: You cannot revoke access tokens. Access tokens are short-lived and by default valid for 1 hour. However, when the refresh tokens are revoked, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.
What is the difference between auth token and refresh token? ›
The access token is used to authenticate API requests to access protected resources, while the refresh token is used to obtain new access tokens once the current ones expire.
How do you revoke an authorization? ›
Call and write the company. Tell the company that you are taking away your permission for the company to take automatic payments out of your bank account. This is called “revoking authorization.” If you decide to call, be sure to send the letter after you call and keep a copy for your records.
How do I revoke my vault token? ›
Revocation can happen manually via the API, via the vault lease revoke cli command, the user interface (UI) under the Access tab, or automatically by Vault. When a lease is expired, Vault will automatically revoke that lease. When a token is revoked, Vault will revoke all leases that were created using that token.