Skip to main content
POST
/
apps
/
oauth
/
revoke
Revoke Token
curl --request POST \
  --url https://api.launchmystore.io/apps/oauth/revoke \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "token": "<string>"
}
'
{
  "status": 123,
  "state": "<string>",
  "message": "<string>"
}

Documentation Index

Fetch the complete documentation index at: https://docs.launchmystore.io/llms.txt

Use this file to discover all available pages before exploring further.

Revoke Token

Revokes an OAuth access token. The endpoint follows RFC 7009 semantics: revocation is idempotent and silent — unknown or already-revoked tokens still return 200 success. On a successful revoke the server:
  1. Locates the AppInstallation that owns this accessToken.
  2. Blacklists both the access token and its paired refresh token (SHA-256 hashed in Redis with a 31-day TTL).
  3. Clears accessToken, refreshToken, tokenExpiresAt, and refreshTokenExpiresAt columns on the installation row.
The installation row itself is not deleted — status remains active. The merchant must call POST /apps/store/uninstall/:appId for a full uninstall. This endpoint is rate-limited to 5 requests per minute per IP.

Request

curl -X POST "https://api.launchmystore.io/apps/oauth/revoke" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "lms_token_9fbb1c3e8d4a7b2e..."
  }'

Body Parameters

token
string
required
The access token to revoke. Refresh tokens cannot be revoked directly — passing one returns 200 (silent no-op) because no installation row matches a refresh token in the accessToken lookup. To kill a refresh token, revoke its paired access token (which blacklists both) or wait 30 days for natural expiry.

Response

status
integer
Always 200.
state
string
Always success.
message
string
Token revoked successfully. Returned for both genuine revocations and unknown tokens (RFC 7009 §2.2 idempotency).

Example Response

{
  "status": 200,
  "state": "success",
  "message": "Token revoked successfully"
}

What gets revoked

When the server finds an installation matching the supplied access token, both tokens on that row are blacklisted and cleared in a single update:
Field on AppInstallationBeforeAfter
accessTokenlms_token_...NULL
refreshTokenlms_refresh_...NULL
tokenExpiresAt<24h from now>NULL
refreshTokenExpiresAt<30d from now>NULL
Redis token_blacklist:<sha256(accessToken)>set, TTL 31d
Redis token_blacklist:<sha256(refreshToken)>set, TTL 31d
Subsequent API calls with either token return: 
{ "status": 401, "state": "error", "message": "Token has been revoked" }

When to revoke

  • User-initiated sign-out of your app’s embedded UI.
  • Compromised token suspicion — pair with rotating client_secret via POST /apps/developer/:appId/regenerate-secret.
  • Switching environments between dev/staging/prod for the same app installation.
Revoking does not uninstall the app, surrender granted scopes, or notify the merchant. For a full uninstall + webhook fan-out, see POST /apps/store/uninstall/:appId.

Ending a session (alternatives)

OperationEndpointEffect
Revoke current token onlyPOST /apps/oauth/revokeBoth tokens blacklisted; installation kept.
Rotate refresh tokenPOST /apps/oauth/token with grant_type=refresh_tokenOld refresh token auto-blacklisted; new pair issued.
Uninstall appPOST /apps/store/uninstall/:appIdInstallation row deleted (or status → pending-uninstall); extension files removed from disk; uninstall webhooks dispatched.
Re-authenticateGET /apps/oauth/authorizePOST /apps/oauth/tokenReuses the same installation row; new tokens overwrite old ones.

Error Codes

HTTPError messageWhen
200Token revoked successfullyAlways returned — including for unknown tokens (RFC 7009 idempotency).
429(throttler)More than 5 requests/minute from this IP.
500(generic)Redis or DB write failed. The token may or may not be revoked — retry.

Security Notes

  • Token blacklist entries live in Redis for 31 days — one day longer than the longest possible refresh-token lifetime — so a revoked token can never come back via a stale cache.
  • The blacklist key is token_blacklist:<sha256(token)>. The raw token is never persisted to Redis, only its hash.
  • This endpoint has no auth requirement beyond rate limiting — anyone holding a valid access token can revoke it. This is intentional: a leaked token should be invalidatable from any environment without needing the original client_secret.