Today, we launched a new authorization endpoint for developers. This endpoint allows developers to programmatically invalidate authorized users’ access_tokens, essentially ‘revoking’ their own apps authorization for the specific user.
Users’ access_tokens are obtained using the 3-legged-Oauth workflow (sometimes called Sign in with Twitter) and are generally used in any app-user required authorization request by the Twitter app when making requests on behalf of the authorized user.
A Twitter user can, at any time, review the applications that they have authorized within their account settings and revoke access if desired. Now with this new method, the revoke can be triggered by the developer application and therefore built into the application functionality. If a user needs to re-authorize an application after a revoke event, a new access_token should be obtained using the 3-legged-Oauth workflow. Once an access_token is invalidated, it cannot be revived and the user must re-authorize the application.
Technical documentation of this new request is detailed here. Note that the /invalidate_token.json request does require app-user auth (including the access_token and access_token_secret in the header) and requires the access_token and access_token_secret as parameters in the request.
We encourage developers to review this new operation and build this option in to your solutions for your users.