Token Operation APIs
| API | Purpose |
|---|---|
| /auth/token/get/list | List issued tokens. You can filter by client and end-user (subject). |
| /auth/token/create | Create an access token without going through an authorization flow. Useful for migration or testing. |
| /auth/token/update | Update properties of an issued token, such as its expiration date and scopes. |
| /auth/token/revoke | Revoke tokens. You can revoke by token identifier, or revoke all tokens of a client or an end-user at once. |
| /auth/token/delete | Delete a token entry itself from the database. |
Revocation initiated by a client application (RFC 7009) is part of the protocol flows and is handled by the Core API /auth/revocation. The token operation APIs above are for administrative operations performed by your server or back-office tools.
Relation to Client and Service Lifecycle
Token lifecycle is tied to the entities that issued them:- Deleting a client affects its issued tokens. See Token Management Policy When Deleting Clients.
- Authlete tracks which clients an end-user has authorized, which you can manage per user. See Authlete’s Policy on Managing Clients Which Have Been Authorized by User.
Next Steps
- Client Management — managing the clients that tokens are issued to
- Service Management — service-level settings such as token expiration defaults