User OAuth 2.0 Token Management

The User OAuth 2.0 Token Management API provides operations to manage tokens issued by an Authorization Server for a particular User and Client in your org. For example, you can revoke every active refresh token for a User in the context of a specific Client. You can also revoke specific tokens or manage tokens at the authorization server level.

Read Validate Access Tokens to understand more about how OAuth 2.0 tokens work.

List all Refresh Tokens for a Client
CORS
OAuth 2.0: okta.users.read

Lists all refresh Tokens issued for the specified User and client

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
clientId
required
string

Client app ID

Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
query Parameters
expand
string

Valid value: scope. If specified, scope details are included in the _embedded attribute.

Example: expand=scope
after
string

The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the Link response header. See Pagination.

limit
integer <int32> [ 1 .. 200 ]
Default: 20

Specifies the number of tokens to return

Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/users/{userId}/clients/{clientId}/tokens
Request samples 
Response samples 
application/json
[]
Revoke all Refresh Tokens for a Client
CORS
OAuth 2.0: okta.users.manage
Revokes all refresh Tokens issued for the specified User and client


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
clientId
required
string
Client app ID


 
 Example:  52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/users/{userId}/clients/{clientId}/tokens
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Retrieve a Refresh Token for a Client
CORS
OAuth 2.0: okta.users.read
Retrieves a refresh Token issued for the specified User and client


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
clientId
required
string
Client app ID


 
 Example:  52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
tokenId
required
string
id of Token


 
 Example:  sHHSth53yJAyNSTQKDJZ
query Parameters
expand
string
Valid value: scope. If specified, scope details are included in the _embedded attribute.


 
 Example:  expand=scope
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}
Request samples 
Response samples 
application/json
{}
Revoke a Token for a Client
CORS
OAuth 2.0: okta.users.manage
Revokes the specified refresh Token


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
clientId
required
string
Client app ID


 
 Example:  52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
tokenId
required
string
id of Token


 
 Example:  sHHSth53yJAyNSTQKDJZ
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}