API: Managing access_tokens and refresh_tokens

Comments

4 comments

  • Brian Stengaard

    Hi David,

    1. No - that would mean that you could not be logged in to the same Podio account across different devices
    2. No - that would open up a clear escalation path
    3. Yes - you can destroy the currently used token through the API[1]. Simply call the URL below with a valid token:
    /oauth/token/invalidate

    [1]: https://developers.podio.com/doc/oauth-authorization/invalidate-tokens-7997943

    /Brian

    0
    Comment actions Permalink
  • David

    Thank you, Brian.

    Just to be clear: the `/oauth/token/invalidate` invalidates all active tokens for the current logged in user. So it is not possible to invalidate specific tokens?

    0
    Comment actions Permalink
  • Brian Stengaard

    Hi David,

    The wording in the docs are a little unclear, but a simple test should verify that it only invalidates the bearer token given in the request.

    /Brian

    0
    Comment actions Permalink
  • David

    Thank you!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk