Stitch SSO

4.9. Token Revocation

Revoking API tokens

In the event that a user requests to be removed from your system, we strongly recommend that before their data is deleted you revoke all refresh and access tokens associated with that user.

The next step entails revoking an API token using the endpoint.

To revoke a token, make a POST request to the endpoint, with a content type of application/x-www-form-urlencoded and the following fields in the body:

Token Revocation Request Body Parameters
client_idThis is a unique ID that will be issued to you by a stitch engineer. The same as the client_id used in previous steps
tokenThe token you wish to revoke
token_type_hintFor the purposes of revoking the token, should either be "access_token" or "refresh_token"
client_assertion_typeShould always have the value urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertionThe value of the generated private_key_jwt

Revoking a Token Using cURL

This example bash script uses cURL to revoke a refresh token.

You'll need to replace the clientId, token, tokenType and client_assertion with the appropriate values. This request if correctly formed, will return an empty body with a 200 response code.

5clientAssertion='<your client assertion>'
7curl -X POST \
8 \
9 -H 'Content-Type: application/x-www-form-urlencoded' \
10 -d "client_Id=$clientId&token=$token&token_type_hint=$tokenType&client_assertion_type=$clientAssertionType&client_assertion=$clientAssertion"

Revoking a Token Using JavaScript and the Fetch API

1async function revokeUserToken(clientId, token, tokenType, clientAssertionType, clientAssertion) {
2 const body = {
3 client_id: clientId,
4 token: token,
5 token_type_hint: tokenType,
6 client_assertion_type: clientAssertionType,
7 client_assertion: clientAssertion
8 }
9 const bodyString = Object.entries(body).map(([k, v]) => `${k}=${encodeURIComponent(v)}`).join('&');
11 const response = await fetch('', {
12 method: 'post',
13 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
14 body: bodyString,
15 });
17 const responseStatus = response.status;
18 console.log('Response Status Code: ', responseStatus);
19 return responseStatus;