Revoke Access to APIs Using Application Grants

Configuring your application grant so that the tokens you issue last for only a short period means that when it comes time for you to revoke access to a protected resource, you can simply delete the grant. At this point, the party with the access token only has a limited period between when you delete the grant and the token's expiration to make additional API requests. Because this is an easy (and safe) option to implement, we recommend you deny access to your APIs and other protected resources by revoking application grants.

If, for example, you are using a Machine-to-Machine application to access your API and you have a partner that calls your API, and at the end of your existing contract, you and your partner decide not to renew your partnership. You now want to remove your partner's access to your API. The issue, however, is that you've given your partner an access token that lasts for a month.

  • What can you do in this situation?

  • How might you configure your Auth0 environment to make such situations easier to handle in the future?

Application grants

The main issue in this scenario is the length of time for which the API access token is valid: one month.

By default, Auth0 issues access tokens that last for 24 hours. Setting the token's lifetime to 24 hours means that your partner must repeat the client credentials exchange (or whichever grant you've implemented) to obtain a new access token every 24 hours. To deny access to your partner due to the expiration of your contract, you can simply delete the application grant so that when their existing token expires, they cannot request a new one.

You can change the lifetime of a token by setting the token_lifetime option. The specific lifetime appropriate to your use case will vary, but we recommend setting this value to be as short as possible. A good starting point for determining this value would be the window you consider allowable for the delay between deleting the grant and final use of the API.

Delete an application grant

To delete an application grant, make the appropriate DELETE call to the Management API's Delete an Application Grant endpoint. As part of the call, you'll need to specify the ID of the application grant you want to delete, which you can obtain via the Management API's Get all Application Grants endpoint.

You can also update an Application's grant types through the Auth0 Dashboard.

Learn more