Revoke OAuth Token

Respect user privacy by enabling them to revoke unwanted OAuth tokens.

Before you start

To use the example code as written, you need the following:

• Square API and SDK Config File

• Square Connect PHP SDK

Step 1: Add code to let users revoke access to their accounts

Create a PHP file called revoke_token.php and add code to let users to revoke access to their accounts. Make sure the revoke token page is in the same password-protected area as the main OAuth flow page.

Step 2: Revoke the OAuth token

Run a cURL command to call the OAuth API and revoke the access token.

If your request is successful, the Revoke Token revokes the OAuth token and you receive a 200 response.

Step 3 (optional): Revoke a single access token

Revoke a single access token, but leave the authorization active.

curl https://connect.squareupsandbox.com/oauth2/revoke \
  -X POST \
  -H 'Square-Version: 2020-04-22' \
  -H 'Authorization: Client {{CLIENT_SECRET}}' \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "{{CLIENT_ID}}",
    "access_token": "{{ACCESS_TOKEN}}",
    "revoke_only_access_token": true
  }'
    

Webhook notifications

If you have subscribed to the oauth.authorization.revokedevent and configured a webhook notification listener endpoint, your listener receives a notification whose body looks like the following example:

{
  "merchant_id": "{{MERCHANT_ID}}",
  "type": "oauth.authorization.revoked",
  "event_id": "e1d6ae37-5aa9-45a5-b525-b12caf819fdb",
  "created_at": "2020-08-14T15:51:04.246373287Z",
  "data": {
    "type": "revocation",
    "id": "415641cf-eba2-4dfa-88cc-c4be1301fdc6",
    "object": {
      "revocation": {
        "revoked_at": "2020-08-14T15:51:00.246373287Z",
        "revoker_type": "MERCHANT"
      }
    }
  }
}

A webhook notification is sent for each access token that is revoked.