Revoking tokens

Yandex.OAuth revokes tokens in the following cases:

  • The user revoked the token on the Third party clients page. When an OAuth token is revoked, the corresponding refresh token is revoked automatically.

  • The token expired.

  • The application owner changed the requested permissions or the value of the Callback URL field, or deleted the application. In this case, all tokens that were ever issued to this application are revoked.

  • The user performed an action that revokes all OAuth tokens and refresh tokens ever issued for the account:

    • Changed the password.

    • Enabled or disabled two-factor authentication.

    • Successfully restored account access.

    • Clicked the Log out of all computers link in Passport or another service.

Revoking tokens in the app

An application can revoke OAuth tokens that were issued for a specific device, using a special request to Yandex.OAuth.

To implement logging out of an account for regular tokens, you can delete the account's tokens from local storage — it is impossible to restore a deleted token using Yandex.OAuth, and the application will have to request access again.

However, nothing will change for the user on the Third party clients page. The token issued to the application will be considered active until it is revoked in one of the ways listed above.