Skip to main content

Token Revocation

In the event a user requests to be removed from your system, we strongly recommend that you revoke all refresh and access tokens associated with that user before their data is deleted.

The next step entails revoking an API token using the https://secure.stitch.money/connect/revocation endpoint.

To revoke a token, make a POST request to the endpoint, with a content type of application/x-www-form-urlencoded and the following fields in the body:

ParameterDescription
client_idThis is a unique ID that will be issued to you by a Stitch engineer. It will be the same as the client_id used in previous steps
tokenThe token you wish to revoke
token_type_hintFor the purposes of revoking the token, should either be "access_token" or "refresh_token"
client_secretThe value of your client_secret

Revoking a Token Using cURL

This example bash script uses cURL to revoke a refresh token.

You'll need to replace the clientId, token, tokenType and client_secret with the appropriate values. This request if correctly formed, will return an empty body with a 200 response code.

clientId='test-18fbd892-3b73-43c3-a854-c6f78c681349'
token='DH7-TaofOSCFlsQwZAeEfmap1eXPeH7nmeOMtDJhdOw'
tokenType='refresh_token'
clientSecret='<your client secret>'

curl -X POST \
  https://secure.stitch.money/connect/revocation \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d "client_Id=$clientId&token=$token&token_type_hint=$tokenType&client_secret=$clientSecret"

Revoking a Token Using JavaScript and the Fetch API

The Javascript function below uses fetch to retrieve the client access token. You'll need to pass in appropriate values for clientId, token, tokenType, and clientSecret to the function revokeUserToken

async function revokeUserToken(clientId, token, tokenType, clientSecret) {
  const body = {
    client_id: clientId,
    token: token,
    token_type_hint: tokenType,
    client_secret: clientSecret,
  };
  const bodyString = Object.entries(body)
    .map(([k, v]) => `${k}=${encodeURIComponent(v)}`)
    .join("&");

  const response = await fetch(
    "https://secure.stitch.money/connect/revocation",
    {
      method: "post",
      headers: { "Content-Type": "application/x-www-form-urlencoded" },
      body: bodyString,
    },
  );

  const responseStatus = response.status;
  console.log("Response Status Code: ", responseStatus);
  return responseStatus;
}