I want to revoke all previously issued OAuth access tokens associated with a specific API key before generating a new one.
As of now, I see that Apigee provides an option to revoke tokens using the App ID, but that revokes access tokens for all keys linked to that app. This does not work for my use case, as I only want to revoke tokens tied to one specific key.
Is there any way to revoke access tokens for a single API key (consumer key) without affecting other keys under the same app?
Note: I do not store access tokens on my side, so cannot revoke a token by passing its token value.
Hello @Prateek_14 ,
Is there any specific reason why your OAuth tokens are not being stored within the Apigee policy constructs? The way I see current state is as follows:
- We have policies to Revoke OAuth tokens by access/refresh token, or by developer/end user application (which meets most use cases)
- We do not have any management APIs to link an API key to a set of 1-N access tokens, meaning you could not build anything custom on this front
If you are able to explain your use case a bit more we may be able to devise a plan forward accordingly, thanks!
Best
Matt
We are using Apigee OAuth (Client Credentials flow), and in our use case:
-
Users can generate multiple API keys under the same App.
-
Each key can have its own access token.
-
We do not store access tokens in our database.
What we want to achieve:
If a user requests a new access token using Key1 (before the previous token has expired), we want the old token for Key1 to be revoked automatically — but tokens issued for Key2, Key3, etc. should remain active.