Token Revocation in Data API Workflow

Hi :slightly_smiling_face:

I have created user authentication for the Data API following the instructions in the manual below. I was able to implement data retrieval that applies privacy rules using the token issued by the API workflow without any issues.

However, it seems that the token revocation is not working. Attached is the API workflow for the token revocation.

Does the token revocation feature work?
Thank you for your assistance.

image

I don’t use log out of all sessions to revoke this token but don’t see how that would impact revoking the token.
How do you know the revoke action isn’t working?

I referenced the documentation for ‘Revoking a token’ and ‘Log out other user’s sessions’ for the workflow.

I assumed that if I attempted to connect to the Data API again using a token that should have been revoked, I would receive an error. However, contrary to my expectation, it appears that I am still able to retrieve data using the token that was supposed to be cancelled.

The documentation doesn’t say to log out of all sessions and doing so is gonna irritate your users for no reason.

How are you testing that? Where are you retreiving expired token from? Are you sure you aren’t regenerating a new token?

Thank you for answering my question. :slightly_smiling_face:
My purpose is to perform user authentication with the Data API. I believe that creating a User type for the Data API (a user dedicated to data operations, different from regular app users) and applying appropriate privacy rules will enhance security.

It is stated that there are two methods to revoke tokens used with the Data API, and the document mentions using these two types of logout.

I set up two logouts to completely revoke both the current session and any other sessions.

For testing, I am using Postman to perform user authentication with the Data API.




As a result of contacting support about this issue, the problem has been resolved. Thank you, everyone.

1 Like