How would I go about revoking permission for a 3rd party after the user has authenticated from their side (through authorization code flow)

jack.broadhurst · April 30, 2024, 12:04pm

The scenario is a user on a trusted 3rd party platform with client credentials has gone through our universal login (auth code flow) and now the 3rd party can access our API on their behalf using a refresh/access token.

How would I revoke the 3rd party access at the user’s request, is it just a case of revoking the refresh token they are holding for that user so they can’t get another access token? If so do I use the management API to do that? I have seen you can revoke the “authorized applications” tab against a user through the UI but it needs to be done programmatically.

Thanks

remus.ivan · March 13, 2025, 8:21pm

Hi @jack.broadhurst,

Thanks for posting and sorry for the late reply.

You are also able to achieve this programmatically, using the Management API as you have already mentioned, or the Authentication API. You can check out our Revoke Refresh Tokens documentation that provides all the steps needed.

You can also check out this Knowledge Article about revoking Refresh Tokens for a user within Actions, since it might come handy.

Additionally Refresh Token Rotation can also be implemented for extra safety.

I hope this helps your use case, but others as well.
Thanks,
Remus

Topic		Replies	Views
How can an admin revoke the access token for a user? Get Help	2	8773	August 30, 2019
Building a User Facing API with Auth0 Get Help	16	3808	December 20, 2019
Revoke Access token programatically Get Help refresh-tokens , refresh_token	8	11227	September 22, 2020
Retrieving access token for third party app Get Help	7	2509	August 24, 2022
Unable to revoke refresh tokens Get Help auth0 , refresh-tokens	2	2158	December 21, 2022

How would I go about revoking permission for a 3rd party after the user has authenticated from their side (through authorization code flow)

Related topics