Revoke Access to APIs Using Application Grants

In Login 3.0, you can revoke access to APIs and other protected resources by managing application grants. By setting short lifetimes for access tokens and removing application grants, you can effectively control and revoke access when necessary.

Managing Access to Protected Resources

Token Lifetime Configuration

By default, Login 3.0 issues access tokens valid for 24 hours. This means:

  • Applications must obtain new tokens every 24 hours through the appropriate grant type (e.g., Client Credentials).

  • Revoking access becomes straightforward: when the token expires, no new tokens can be issued if the grant is deleted.

Example Scenario:

If a partner using a Machine-to-Machine application has an API access token valid for one month, and your partnership ends, you can revoke their access by:

  1. Shortening Token Lifetimes:

    Configure shorter token lifetimes (e.g., 24 hours) to minimize the window during which access is valid.

  2. Deleting the Application Grant:

    After the contract ends, revoke the partner’s access by deleting their application grant. Once the current token expires, they will no longer be able to request new tokens.

Application Grants

Application grants determine the scope and duration of access to APIs. To better manage access:

  1. Set Short Token Lifetimes:

    • Adjust the token_lifetime setting to match your use case.

    • A 24-hour token lifetime is generally recommended as a starting point.

  2. Plan for Revocation:

    • Ensure that token lifetimes align with acceptable delays between deleting a grant and the final API use.

    • Work with the UPBOND team to configure token lifetimes and grant revocation policies.

Revoke Access by Deleting Application Grants

Steps to Revoke Access:

  1. Contact the UPBOND Team:

    Provide the following details:

    • Application name or Client ID.

    • The specific grant(s) to be revoked.

    • Reason for revocation (e.g., end of a partnership).

  2. Grant Deletion:

    The UPBOND team will:

    • Identify the grants associated with the application.

    • Delete the relevant grants, ensuring that new tokens cannot be issued once current tokens expire.

  3. Validate Access Revocation:

    Test the API to confirm that the application can no longer access protected resources.

Best Practices for Managing Application Grants

  • Minimize Token Lifetimes:

    Configure the shortest token lifetime that meets your use case. This reduces the risk window after a grant is deleted.

  • Monitor and Audit Grants:

    Regularly review active application grants to ensure they align with your organization’s current partnerships and policies.

  • Plan for Access Revocation:

    Anticipate scenarios where access must be revoked and configure your Login 3.0 environment accordingly. Ensure token lifetimes and grant management processes support timely revocation.

PreviousUpdate Grant TypesNextSigning Algorithms

Last updated

Was this helpful?