• None
  • Manage Credentials
Launch IDE ↗

Stitch SSO

5.9. Token Revocation

Revoking API tokens

In the event that a user requests to be removed from your system, we strongly recommend that before their data is deleted you revoke all refresh and access tokens associated with that user.

The next step entails revoking an API token using the endpoint.

To revoke a token, make a POST request to the endpoint, with a content type of application/x-www-form-urlencoded and the following fields in the body:

Token Revocation Request Body Parameters
client_idThis is a unique ID that will be issued to you by a stitch engineer. The same as the client_id used in previous steps
tokenThe token you wish to revoke
token_type_hintFor the purposes of revoking the token, should either be "access_token" or "refresh_token"

Revoking a Token Using cURL

This example bash script uses cURL to revoke a refresh token.

You'll need to replace the clientId, token and tokenType with the appropriate values. This request if correctly formed, will return an empty body with a 200 response code.

5curl -X POST \
6 \
7 -H 'Content-Type: application/x-www-form-urlencoded' \
8 -d "client_Id=$clientId&token=$token&token_type_hint=$tokenType"

Revoking a Token Using JavaScript and the Fetch API

1async function revokeUserToken(clientId, token, tokenType) {
2 const body = {
3 client_id: clientId,
4 token: token,
5 token_type_hint: tokenType
6 }
7 const bodyString = Object.entries(body).map(([k, v]) => `${k}=${encodeURIComponent(v)}`).join('&');
9 const response = await fetch('', {
10 method: 'post',
11 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
12 body: bodyString,
13 });
15 const responseStatus = response.status;
16 console.log('Response Status Code: ', responseStatus);
17 return responseStatus;