Can my app "revoke itself" from user access?


#1

Hi,

I am trying to revoke access of my app for a user by invalidating the user access token (i.e. the user has previously performed a successful authorization of the app). I was hoping for this to do the trick:

https://developer.twitter.com/en/docs/basics/authentication/api-reference/invalidate_access_token.html

but the URL: https://api.twitter.com/oauth/invalidate_token does not exist! (404)

Has the above URL been moved or removed? If the latter, is there a different way to revoke user access of my app? Is requesting the user to revoke the app the only way?

I do understand that unsubscribing the app from the user’s activity will stop events from coming in to the webhook URL, but I’m trying to get the user -> app association removed completely from Twitter (so the user doesn’t show up again next time asking Twitter for all app users).

Thanks!


#2

Try /1.1/oauth/invalidate_token - I believe this could be an error in the documentation.


#3

Thanks for the reply!

Yes, with 1.1 in the URL the endpoint is found!

Should the /1.1/oauth URL work for all other authentication requests too, like for /request_token and /access_token (they are also documented to have an /oauth URL rather than /1.1/oauth URL).


#4

Confusingly, no, the 1.1 only applies on the invalidate endpoint. The other auth endpoints should not include 1.1. The example code has this correct, but the documentation needs to be fixed.


#5

Ok, thanks for the info!