Revoke a token

Yandex OAuth revokes tokens in the following cases:

The user revokes access on the Data access rights page. When the OAuth token is revoked, the corresponding refresh token is revoked automatically.
The token expired.
The app owner changed the requested rights or deleted the app. In this case, all tokens ever issued to this app are revoked.
The user performed an action that revokes all OAuth tokens and refresh tokens ever issued for the account:
- Changed password.
- Turned two-factor authentication on or off.
- Successfully restored access to the account.
- Followed the link Log out on all devices in Yandex ID or another service.

Revoking tokens in the app

The app can revoke OAuth tokens issued for a specific device with a request to Yandex OAuth.

To implement logging out of an account for regular tokens, you can delete the corresponding tokens from local storage. A deleted token can't be restored via Yandex OAuth, the app will have to request access again.

In this case, nothing changes for the user on the Data access rights page. A token issued to the application is considered active until it is revoked in any of the ways listed above.

Revoking a token for a specific device

Using Yandex OAuth, you can request a token for an app on a specific device. To do this, specify the device ID and its name in the request for a token or confirmation code (the device_id and device_name parameters described in the request formats in this document). The user can see this name on the access control page in API Yandex ID. If you only specify an ID without a name, the token will be marked as issued for an unknown device.

Alert

An app can have up to 30 tokens linked to a user's devices. If Yandex OAuth issues a new device token for the app, the oldest token stops working.

A token issued for a specific device can be revoked with a request to Yandex OAuth, for example, to ensure that the user logs out of the account.

To revoke a token, send it to Yandex OAuth with the app ID and password.

App authentication

In requests to Yandex OAuth, specify the ID and password generated when registering the app.

You can pass them in a request in different ways:

In the Authorization header, in the <client_id>:<client_secret> line, encoded with the base64 method. In this case, you should specify the basic authorization method (Basic).

Header example:
```
Authorization: Basic <encoded string client_id:client_secret>
```
In the POST request body, in the client_id and client_secret parameters. These parameters must be passed all at once.

If Yandex OAuth receives the Authorization header, while the client_id and client_secret parameters in the request body are ignored.

Request format

The request should be sent over HTTPS using the POST method.

POST /revoke_token HTTP/
1.1Host: https://oauth.yandex.com/
Content-type: application/x-www-form-urlencoded
Content-Length: <request body length>
[Authorization: Basic <encoded string client_id:client_secret>]

 & access_token=<token to revoke>
[& client_id=<app ID>]
[& client_secret=<secret key>]

Parameter	Description
Required parameter
`access_token`	The OAuth token you want to withdraw.
Advanced parameters
`client_id`	Application ID. Available in the app properties. To open properties, go to Yandex OAuth and click the app name. This parameter is required if it wasn't specified in the authorization header request.
`client_secret`	Secret key. Available in the app properties. To open properties, go to Yandex OAuth and click the app name. This parameter is required if it wasn't specified in the authorization header request.

Response format

Yandex OAuth returns the response in a JSON document.

Request successfully completed

Request completed with an error

If the token is successfully revoked or was already invalid, the response is returned with the 200 HTTP code and the following body:

{
  "status": "ok"
}

If the request failed, the response is returned with the HTTP error code and its description:

{
  "error_description": "Client not found",
  "error": "invalid_client"
}

Parameter	Description
`error_description`	The error description is written in natural language.
`error`	Error code.

Error codes

HTTP response code	Error code	Description
400	`invalid_request`	An invalid request format (for example, a required parameter is missing).
400	`invalid_grant`	The passed token doesn't belong to the specified application.
400 or 401	`invalid_client`	Returned in the following cases: The app with the specified ID wasn't found or is blocked. An invalid password was passed for the specified app ID. The 401 HTTP response code is returned if the app ID and secret key were passed in the `Authorization` header. Otherwise, the 400 HTTP code is returned.
400	`unsupported_token_type`	The token cannot be revoked because the device ID wasn't specified when requesting this token (the `device_id` parameter). If the token can't be revoked, you can just delete it from local storage so that the app loses access to the user's data.

Was the article helpful?

Obtain a token manually

Update a token