Revoke Access token programatically

I want to revoke one (all) refresh tokens of a user accessing a specific application.

In the Dashboard, it is simple, in Users, Authorized Applications, then click the button “Revoke” on the selected application.

But how do I do the same using the auth0 API? In the docs I can only find to use /oauth/revoke, but for that I need to know the refresh token I want to revoke Where can I find that programatically? (I know my user and application).

:wave: @SergioETrillo there’s an endpoint that will delete all grants and refresh tokens for a given user ID:
curl -X DELETE 'https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}} please note that this will also revoke all grants for the user which may not be exactly what you would want. Please let me know if this works for you.

1 Like

Thanks for the answer @kimcodes.
I am not too sure what implies the revocation of all grants for the user but it seems it may work. I had figured out a solution as follows:

  • Get accessToken for v2
  • Get userId from email https://{{auth0-domain}}/api/v2/users?q=emailxxxxxxx&search_engine=v3
  • List device credentials refresh tokens for user: https://{{auth0-domain}}/api/v2/device-credentials?user_id=auth0|xxxxxxxxxxxxxxxx&type=refresh_token
  • Iterate the list and delete them with https://{{auht0-domain}}/api/v2/device-credentials/dcr_xxxxxxxxxx

But yours seems simpler.

Another way is to remove the grant for given application. You can use /api/v2/grants to get the grants for a given user. Find out the client id for which you are trying to remove authorisation, you will get the grant id from get_grants list. Now invoke /api/v2/grants/{id?} with DELETE method to remove the application authorisation. This will revoke all the refresh token for the user for the application.


hi, @kimcodes I’m trying to invalidate access token on logoff , using this api endpoint https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}} , but it seems even after the I make this api call the user specific access token remains valid and I can send user info requests with access token obtained for that user earlier https://{{your-auth0-domain}}/userinfo , is it possible to invalidate user access token when user logout ?

@aminul were you able to successfully log out the user? did you solve your issue?

Hi, @kimcodes As this auth0 document suggest I’ve logged user out of my java application session layer ,but log out them from auth0 session layer will require us to configure too many Allowed Logout URLs ( we too many routes and sub-domains ), I was looking for a solution to log out them from auth0 session layer with java codes only that doesn’t require the Allowed Logout URLs settings , is it possible ?

Hey there @aminul!

Unfortunately Kim is no longer working at Auth0 but I’ll do my best to help you! Let me get more context and investigate it so I can get back to you shortly!

1 Like