Auth0 Home Blog Docs

Revoke Access token programatically

refresh-tokens
refresh_token

#1

I want to revoke one (all) refresh tokens of a user accessing a specific application.

In the Dashboard, it is simple, in Users, Authorized Applications, then click the button “Revoke” on the selected application.

But how do I do the same using the auth0 API? In the docs I can only find to use /oauth/revoke, but for that I need to know the refresh token I want to revoke Where can I find that programatically? (I know my user and application).


#2

:wave: @SergioETrillo there’s an endpoint that will delete all grants and refresh tokens for a given user ID:
curl -X DELETE 'https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}} please note that this will also revoke all grants for the user which may not be exactly what you would want. Please let me know if this works for you.


#3

Thanks for the answer @kim.noel.
I am not too sure what implies the revocation of all grants for the user but it seems it may work. I had figured out a solution as follows:

  • Get accessToken for v2
  • Get userId from email https://{{auth0-domain}}/api/v2/users?q=emailxxxxxxx&search_engine=v3
  • List device credentials refresh tokens for user: https://{{auth0-domain}}/api/v2/device-credentials?user_id=auth0|xxxxxxxxxxxxxxxx&type=refresh_token
  • Iterate the list and delete them with https://{{auht0-domain}}/api/v2/device-credentials/dcr_xxxxxxxxxx

But yours seems simpler.