Hello
Our refresh token accidentally made it into our repo. This is a private repo, but nonetheless we would like to revoke access for that token. We already created a new token and use that for the API currently. I could not find any way to revoke the old token. And this thread was resolved via private emails: Revoking access token?
Could you please let me know if there is a way to revoke an old token?
Best
Jakob
Hey @Dev,
Thanks for reaching out!
If you’re looking to change a refresh token, I can do that on my end if you share with me the associated email for said refresh token. Feel free to PM me here with the information.
Please let me know if there’s anything I can do to assist!
Best,
RayanP
Hey RayanP
I am unsure if I understand the concept. I can create a token and refresh token via the /auth/token API endpoint. Does this create a new token and refresh token, but all formerly created tokens are also still valid? If so, we could simply remove the old tokens.
I think the /auth/token request does not replace the old token, does it?
Best
Jakob
Hey @Dev,
Thanks for hanging in there!
So there are two tokens when interacting with our Public API: The refresh token and the access token.
The access token, which is used to interact with our endpoint of https://public-api.shiphero.com/graphql, lasts 1 month. After that token expires, you use the refresh token to generate a new access token. If you refresh your token before it expires, a new access token will still be generated, making the old token invalid.
Therefore the access tokens can be changed/refreshed into a new token making all previous ones invalid. The refresh token, however, can only be altered for SF customers with the help of support.
Example Tokens:
"refresh_token": "cBWV3BROyQn_TMxETqr7ALQBaoF
gIzkC-8KkJaIq2HmK_"
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJUQXlOVU13T0R
rd09ETXhSVVZDUXpBNU5rSkVOVVUxUmtNeU1URTRNMEkzTWpnd05ERkdNdyJ9.aktgc3MiOiJodHRwc
zovL3NoaXBoZXJvLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1YmI3YTI4MjY4YTU2YzRjNTEzMTIx
MWIiLCJhdWQiOiJzaGlwaGVyby1wdWJsaWMtYXBpIiwiaWF0IjoxNTU0OTEwODc0LCJleHAiOjE1NTc
zMzAwNzQsImF6cCI6Im10Y2J3cUkycjYxM0RjT04zOAMRYUhMcVF6UTRka2huIiwic2NvcGUiOiJlbW
FpbCBwcm9maWxlIG9mZmxpbmVfYWNjZXNzIiwiZ3R5IjoicGFzc3dvcmQifQ.lW2UalihR5msHKhJzD
Pvy5SCKxSPyUCMuQ7RXyP2ZNQ2gENjGF2nmdsYlF2CqxH_wITcK10CproQErMK_yAWUSEck8qfC1Fu_
UNc9-xW55ALeCk09ZZD--aB_QFjLVM-ooawby7y4Ysf8H4yEBQpoPwZoQ3DQnu5QBNxd5oOLIP2ezzN
Yvrwjpm-uNN8II5sK9U075Mx1HH31KG14iFt5sEZQmYOz-oSWweVuY6Sd61VFD02sncXOmEZIxu3bda
ZSn1JYaM-ilLce4s748iv75BVDgqj1b2A1lyITeqvFoYWl3PKV56fOlfm8v9QnkSqR0iTGENgV6zZq3
rPRsBLTw
Let me know if that helps!
Best,
RayanP
Hey Rayan
Thanks for explaining this. What is still unclear to me is what happens if I create a new
token via the auth/token endpoint. I receive a new refresh token. Will the old refresh token be invalidated, or did I create yet another one and have now two?
Hey @Dev,
Thanks for hanging in there!
If you have access to the SH user and password, you could make the call to the auth endpoint.
After some light testing I can confirm if you If you do refresh it this way, it should render the previous refresh token invalid.
Please let me know if you have any questions or concerns.
Best,
RayanP
Perfect, that was my original question. If creating a new token invalidates the old refresh token, we are already good to go.
Thanks for your help
Jakob