Skip to main content

Can a user revoke an access token?

  • November 16, 2023
  • 4 replies
  • 865 views
M

Hi there.
I am starting to develop an app using oauth2 and am managing to access the api using a bearer token.
I’m wondering where the user should go to revoke the apps access token, as I can’t seem to find it with the experiments I am doing. I understood from another thread that the token is valid for 30days? But can’t seem to find where a user could revoke the token should the app be not needed anymore? Or heaven forbid become compromised somehow.

Note at this stage as I am developing the app is not “installed” as such, it does not appear under the installed apps tab in monday.

Thanks in advance for your help.

M

4 replies

A
  • anon29275264
  • Participating Frequently
  • November 16, 2023

As far as I know the tokens do not expire, as there is no refresh capability for the OAuth2. Though if you use a individual users API token (not through the OAuth process, manually entered) then they can regenerate that at will - but again does not expire.

As far as revoking the tokens, it happens when the app is uninstalled, without any user steps. There is no ability to revoke them manually that I am aware of, though this would be a good thing to add.

That said, if a users account is deactivated, their tokens do stop working. So while thats ugly, it might suffice in an emergency.

    M
    • MrMeltdown
    • Author
    • New Participant
    • November 17, 2023

    Thanks for your reply.
    I’ll investigate further. I think you are correct that the individual tokens may not be revokable within the users monday interface.
    I think the solution is have the user uninstall the app.

    Since my app is in development it is currently in private and doesn’t show up at all in the installed app pages, maybe because of this. I’ll try installing it under a non-development account and see what happens. I think because of this the token may have a very short lifespan certainly not 30 days, more like 30 seconds… , and things may become permanent
    when the app is shared.

    I’ll report back here when if I find something else out.

    Thanks again.

      M
      • MrMeltdown
      • Author
      • New Participant
      • November 17, 2023

      OAuth and Permissions (monday.com)

      This states the auth tokens last for ten minutes, but the bearer token should last indefinitely…

        A
        • anon29275264
        • Participating Frequently
        • November 17, 2023

        Yeah the “auth token” which they call a code, is for 10 minutes. That code can’t be used for API access.

        Also don’t forget that if this is an integration app, every request sent to your backend includes a JWT that has a shortLivedToken (assuming you’re using HTTPS). This lasts 5 minutes, but can be used for API access.

        Additionally, if your app uses custom triggers with custom actions, you can trigger that for changes to boards coming from your back end. Then you never need to store an OAuth token. Using custom triggers for changes from your backend is preferred over just making calls to boards, since it lets the users keep column mappings accurate.

        Within the UI features you can make API calls without getting a token as well.

        The only times you really need OAuth is if you’re going to offload work from a UI app to your backend, and it needs a token to do it. Or you have a batch of changes that will take longer than 5 minutes from one trigger.

          Terms & ConditionsCookie settingsAccessibility statement