OAuth: Code Cookbook
Revoke OAuth Token
Respect user privacy by enabling them to revoke unwanted OAuth tokens.
<h2>Revoke Access to your Account</h2>
<p>
Click the following button to close your account or revoke access to your Square account.
</p>
<form action="revoke_token.php" method="post">
<input type="submit" id="submit" value="Revoke Access" />
</form>
curl https://connect.squareupsandbox.com/oauth2/revoke \
-X POST \
-H 'Square-Version: 2020-04-22' \
-H 'Authorization: Client {{CLIENT_SECRET}}' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "{{CLIENT_ID}}",
"access_token": "{{ACCESS_TOKEN}}"
}'
Step 3 (optional): Revoke a single access token
Revoke a single access token, but leave the authorization active.
curl https://connect.squareupsandbox.com/oauth2/revoke \
-X POST \
-H 'Square-Version: 2020-04-22' \
-H 'Authorization: Client {{CLIENT_SECRET}}' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "{{CLIENT_ID}}",
"access_token": "{{ACCESS_TOKEN}}",
"revoke_only_access_token": true
}'
Webhook notifications
If you have subscribed
to the oauth.authorization.revoked
event and configured a webhook notification listener endpoint, your listener receives a notification whose body looks like the following example:
{
"merchant_id": "{{MERCHANT_ID}}",
"type": "oauth.authorization.revoked",
"event_id": "e1d6ae37-5aa9-45a5-b525-b12caf819fdb",
"created_at": "2020-08-14T15:51:04.246373287Z",
"data": {
"type": "revocation",
"id": "415641cf-eba2-4dfa-88cc-c4be1301fdc6",
"object": {
"revocation": {
"revoked_at": "2020-08-14T15:51:00.246373287Z",
"revoker_type": "MERCHANT"
}
}
}
}
A webhook notification is sent for each access token that is revoked.