Revoke a token
Yandex OAuth revokes tokens in the following cases:
-
The token was revoked by the user on the Third party clients page. When the OAuth token is revoked, the corresponding refresh token is revoked automatically.
-
The token expired.
-
The app owner changed the requested rights or deleted the app. In this case, all tokens ever issued to this app are revoked.
-
The user performed an action that revokes all OAuth tokens and refresh tokens ever issued for the account:
-
Changed password.
-
Turned [two-factor authentication] on or off(https://yandex.com/support/id/authorization/twofa.html).
-
Successfully restored access to the account.
-
Clicked Log out of all computers in Yandex ID or some other service.
-
Revoking tokens in the app
The app can revoke OAuth tokens issued for a specific device with a request to Yandex OAuth.
To implement logging out of an account for regular tokens, you can delete the corresponding tokens from local storage. A deleted token can't be restored via Yandex OAuth, the app will have to request access again.
In this case, nothing will change for the user on the Third party clients page. A token issued to the application is considered active until it is revoked in any of the ways listed above.
Revoking a token for a specific device
Using Yandex OAuth, you can request a token for an app on a specific device. To do this, specify the device ID and its name in the request for a token or confirmation code (the device_id
and device_name
parameters described in the request formats in this document). The user can see this name on the access control page in API Yandex ID. If you only specify an ID without a name, the token will be marked as issued for an unknown device.
Alert
An app can have up to 30 tokens linked to a user's devices. If Yandex OAuth issues a new device token for the app, the oldest token stops working.
A token issued for a specific device can be revoked with a request to Yandex OAuth, for example, to ensure that the user logs out of the account.
To revoke a token, send it to Yandex OAuth with the app ID and password.
App authentication
In requests to Yandex OAuth, specify the ID and password generated when registering the app.
You can pass them in a request in different ways:
-
In the
Authorization
header, in the<client_id>:<client_secret>
line, encoded with the base64 method. In this case, you should specify the basic authorization method (Basic
).Header example:
Authorization: Basic <encoded string `client_id:client_secret`>
-
In the POST request body, in the
client_id
andclient_secret
parameters. These parameters must be passed all at once.
If Yandex OAuth receives the Authorization
header, while the client_id
and client_secret
parameters in the request body are ignored.
Request format
The request should be sent over HTTPS using the POST method.
POST /revoke_token HTTP/1.1
Host: https://oauth.yandex.com/
Content-type: application/x-www-form-urlencoded
Content-Length: <request body length>
[Authorization: Basic <encoded string `client_id:client_secret`>]
& access_token=<token to revoke>
[& client_id=<app ID>]
[& client_secret=<secret key>]
Parameter |
Description |
Required parameter |
|
|
The OAuth token you want to revoke. |
Additional parameters |
|
|
Application ID. Available in the app properties. To open properties, go to Yandex OAuth and click the app name. This parameter is required if it wasn't specified in the authorization header request. |
|
Secret key. Available in the app properties. To open properties, go to Yandex OAuth and click the app name. This parameter is required if it wasn't specified in the authorization header request. |
Response format
Yandex OAuth returns the response in a JSON document.
If the token is successfully revoked or was already invalid, the response is returned with the 200 HTTP code and the following body:
{
"status": "ok"
}
If the request failed, the response is returned with the HTTP error code and its description:
{
"error_description": "Client not found",
"error": "invalid_client"
}
Parameter |
Description |
|
Error description in a natural language. |
|
Supported error codes
HTTP response code |
Error code |
Description |
400 |
|
Invalid request format (for example, a required parameter is missing). |
400 |
|
The passed token doesn't belong to the specified app. |
400 or 401 |
|
Returned in the following cases:
The 401 HTTP response code is returned if the app ID and secret key were passed in the |
400 |
|
The token cannot be revoked because the device ID wasn't specified when requesting this token (the If the token can't be revoked, you can just delete it from local storage so that the app loses access to the user's data. |