Revoke tokens

Yandex OAuth revokes tokens in the following cases:

  • The token was revoked by the user on the Data access rights page. When an OAuth token is revoked, the corresponding refresh token is also revoked automatically.

  • The token expired.

  • The app owner changed the requested permissions or deleted the app. In this case, all the tokens ever issued for that app are revoked.

  • The user performed an action that revokes all the OAuth tokens and refresh tokens ever issued for an account:

    • Changed the password.

    • Turned two-factor authentication on or off.

    • Successfully restored access to the account.

    • Followed the Log out on all devices link in Yandex ID or another service.

Revoke tokens in the app

An app can revoke OAuth tokens issued for a specific device by sending a special request to Yandex OAuth.

To implement logging out of an account for regular tokens, you can delete the tokens related to the account from the local storage. A deleted token can't be restored via Yandex OAuth, so the app will have to request access again.

In this case, nothing changes for the user on the Data access rights page. A token issued for the app will remain active until it's revoked in any of the ways listed above.

Revoke a token for a device

With Yandex OAuth, you can request a token for an app on a specific device. To do this, specify the device ID and its name in the request for a token or confirmation code (the device_id and device_name parameters are described in request format sections on the pages of this documentation). The user can see the device name on the access management page in API Yandex ID. If you only specify an ID without a name, the token will be marked as issued for an unknown device.

Alert

An app can have up to 30 tokens linked to a user's devices. If Yandex OAuth issues a new device token for the app, the oldest token stops working.

A token issued for a specific device can be revoked with a request to Yandex OAuth, for example, to ensure that the user logs out of the account.

To revoke a token, pass it to Yandex OAuth with the app ID and secret.

App authentication

In requests to Yandex OAuth, specify the ID and secret generated when registering the app.

You can pass them in a request in different ways:

  • In the Authorization header, as a <client_id>:<client_secret> string encoded with Base64. The authorization method should be set to Basic.

    Header example:

    Authorization: Basic <encoded string client_id:client_secret>

  • In the POST request body, as the client_id and client_secret parameters. These parameters must be passed together.

If Yandex OAuth receives the Authorization header, the client_id and client_secret parameters in the request body are ignored.

Request format

The request should be sent over HTTPS using the POST method.

POST /revoke_token HTTP/1.1
Host: https://oauth.yandex.com/
Content-type: application/x-www-form-urlencoded
Content-Length: <request body length>
[Authorization: Basic <encoded string client_id:client_secret>]

 & access_token=<token to revoke>
[& client_id=<app ID>]
[& client_secret=<secret key>]

Parameter

Description

Required parameter

access_token

The OAuth token you want to revoke.

Optional parameters

client_id

The app ID. It can be found in the app properties. To open them, go to Yandex OAuth and select the app name.

This parameter is required if it wasn't specified in the authorization header request.

client_secret

The secret key. It can be found in the app properties. To open them, go to Yandex OAuth and select the app name.

This parameter is required if it wasn't specified in the authorization header request.

Response format

Yandex OAuth returns the response in a JSON document.

If the token was successfully revoked or was already invalid, the response is returned with a 200 HTTP status code and the following body:

{
  "status": "ok"
}

If the request couldn't be fulfilled, the response is returned with an HTTP error code and its description:

{
  "error_description": "Client not found",
  "error": "invalid_client"
}

Parameter

Description

error_description

An error description in a natural language.

error

An error code.

Supported error codes

HTTP response code

Error code

Description

400

invalid_request

An invalid request format (for example, a required parameter is missing).

400

invalid_grant

The passed token doesn't belong to the specified app.

400 or 401

invalid_client

Is returned in the following cases:

  • The app with the specified ID can't be found or is blocked.
  • An invalid secret was passed for the specified app ID.

The 401 HTTP response code is returned if the app ID and secret key were passed in the Authorization header. Otherwise, the 400 HTTP code is returned.

400

unsupported_token_type

The token can't be revoked because no device ID was specified when requesting this token (the device_id parameter).

If the token can't be revoked, you can just delete it from the local storage so that the app loses access to the user's data.
Previous
Debug token
Next
Update tokens