Token Revocation
In the event a user requests to be removed from your system, we strongly recommend that you revoke all refresh and access tokens associated with that user before their data is deleted.
The next step entails revoking an API token using the https://secure.stitch.money/connect/revocation endpoint.
To revoke a token, make a POST request to the endpoint, with a content type of application/x-www-form-urlencoded
and
the following fields in the body:
Parameter | Description |
---|---|
client_id | This is a unique ID that will be issued to you by the Stitch team. It will be the same as the client_id used in previous steps |
token | The token you wish to revoke |
token_type_hint | For the purposes of revoking the token, should either be "access_token" or "refresh_token" |
client_secret | The value of your client_secret |
Revoking a Token Using cURL
This example bash script uses cURL to revoke a refresh token.
You'll need to replace the clientId
, token
, tokenType
and client_secret
with the appropriate values. This request
if correctly formed, will return an empty body with a 200 response code.
clientId='test-18fbd892-3b73-43c3-a854-c6f78c681349'
token='DH7-TaofOSCFlsQwZAeEfmap1eXPeH7nmeOMtDJhdOw'
tokenType='refresh_token'
clientSecret='<your client secret>'
curl -X POST \
https://secure.stitch.money/connect/revocation \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "client_Id=$clientId&token=$token&token_type_hint=$tokenType&client_secret=$clientSecret"
Revoking a Token Using JavaScript and the Fetch API
The Javascript function below uses fetch
to retrieve the client access token. You'll need to pass in appropriate
values for clientId
, token
, tokenType
, and clientSecret
to the function revokeUserToken
async function revokeUserToken(clientId, token, tokenType, clientSecret) {
const body = {
client_id: clientId,
token: token,
token_type_hint: tokenType,
client_secret: clientSecret,
};
const bodyString = Object.entries(body)
.map(([k, v]) => `${k}=${encodeURIComponent(v)}`)
.join('&');
const response = await fetch('https://secure.stitch.money/connect/revocation', {
method: 'post',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: bodyString,
});
const responseStatus = response.status;
console.log('Response Status Code: ', responseStatus);
return responseStatus;
}