Auth0 Home Blog Docs

Revoke Access token programatically



I want to revoke one (all) refresh tokens of a user accessing a specific application.

In the Dashboard, it is simple, in Users, Authorized Applications, then click the button “Revoke” on the selected application.

But how do I do the same using the auth0 API? In the docs I can only find to use /oauth/revoke, but for that I need to know the refresh token I want to revoke Where can I find that programatically? (I know my user and application).


:wave: @SergioETrillo there’s an endpoint that will delete all grants and refresh tokens for a given user ID:
curl -X DELETE 'https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}} please note that this will also revoke all grants for the user which may not be exactly what you would want. Please let me know if this works for you.


Thanks for the answer @kim.noel.
I am not too sure what implies the revocation of all grants for the user but it seems it may work. I had figured out a solution as follows:

  • Get accessToken for v2
  • Get userId from email https://{{auth0-domain}}/api/v2/users?q=emailxxxxxxx&search_engine=v3
  • List device credentials refresh tokens for user: https://{{auth0-domain}}/api/v2/device-credentials?user_id=auth0|xxxxxxxxxxxxxxxx&type=refresh_token
  • Iterate the list and delete them with https://{{auht0-domain}}/api/v2/device-credentials/dcr_xxxxxxxxxx

But yours seems simpler.