Revoke a token

Yandex OAuth revokes tokens in the following cases:

  • The token was revoked by the user on the Third party clients page. When the OAuth token is revoked, the corresponding refresh token is revoked automatically.

  • The token expired.

  • The app owner changed the requested rights or deleted the app. In this case, all tokens ever issued to this app are revoked.

  • The user performed an action that revokes all OAuth tokens and refresh tokens ever issued for the account:

    • Changed password.

    • Turned [two-factor authentication] on or off(https://yandex.com/support/id/authorization/twofa.html).

    • Successfully restored access to the account.

    • Clicked Log out of all computers in Yandex ID or some other service.

Revoking tokens in the app

The app can revoke OAuth tokens issued for a specific device with a request to Yandex OAuth.

To implement logging out of an account for regular tokens, you can delete the corresponding tokens from local storage. A deleted token can't be restored via Yandex OAuth, the app will have to request access again.

In this case, nothing will change for the user on the Third party clients page. A token issued to the application is considered active until it is revoked in any of the ways listed above.

Revoking a token for a specific device

Using Yandex OAuth, you can request a token for an app on a specific device. To do this, specify the device ID and its name in the request for a token or confirmation code (the device_id and device_name parameters described in the request formats in this document). The user can see this name on the access control page in API Yandex ID. If you only specify an ID without a name, the token will be marked as issued for an unknown device.

Alert

An app can have up to 30 tokens linked to a user's devices. If Yandex OAuth issues a new device token for the app, the oldest token stops working.

A token issued for a specific device can be revoked with a request to Yandex OAuth, for example, to ensure that the user logs out of the account.

To revoke a token, send it to Yandex OAuth with the app ID and password.

App authentication

In requests to Yandex OAuth, specify the ID and password generated when registering the app.

You can pass them in a request in different ways:

  • In the Authorization header, in the <client_id>:<client_secret> line, encoded with the base64 method. In this case, you should specify the basic authorization method (Basic).

    Header example:

    Authorization: Basic <encoded string `client_id:client_secret`>

  • In the POST request body, in the client_id and client_secret parameters. These parameters must be passed all at once.

If Yandex OAuth receives the Authorization header, while the client_id and client_secret parameters in the request body are ignored.

Request format

The request should be sent over HTTPS using the POST method.

POST /revoke_token HTTP/1.1
Host: https://oauth.yandex.com/
Content-type: application/x-www-form-urlencoded
Content-Length: <request body length>
[Authorization: Basic <encoded string `client_id:client_secret`>]

 & access_token=<token to revoke>
[& client_id=<app ID>]
[& client_secret=<secret key>]

Parameter

Description

Required parameter

access_token

The OAuth token you want to revoke.

Additional parameters

client_id

Application ID. Available in the app properties. To open properties, go to Yandex OAuth and click the app name.

This parameter is required if it wasn't specified in the authorization header request.

client_secret

Secret key. Available in the app properties. To open properties, go to Yandex OAuth and click the app name.

This parameter is required if it wasn't specified in the authorization header request.

Response format

Yandex OAuth returns the response in a JSON document.

If the token is successfully revoked or was already invalid, the response is returned with the 200 HTTP code and the following body:

{
  "status": "ok"
}

If the request failed, the response is returned with the HTTP error code and its description:

{
  "error_description": "Client not found",
  "error": "invalid_client"
}

Parameter

Description

error_description

Error description in a natural language.

error

Error code.

Supported error codes

HTTP response code

Error code

Description

400

invalid_request

Invalid request format (for example, a required parameter is missing).

400

invalid_grant

The passed token doesn't belong to the specified app.

400 or 401

invalid_client

Returned in the following cases:

  • The app with the specified ID wasn't found or is blocked.
  • An invalid password was passed for the specified app ID.

The 401 HTTP response code is returned if the app ID and secret key were passed in the Authorization header. Otherwise, the 400 HTTP code is returned.

400

unsupported_token_type

The token cannot be revoked because the device ID wasn't specified when requesting this token (the device_id parameter).

If the token can't be revoked, you can just delete it from local storage so that the app loses access to the user's data.
Previous
Debug token
Next
Refreshing tokens
In this article: