Skip to main content

Revoke user consent

You can revoke user consent on a per-application basis, or for all applications to which the user granted their consent.

danger

Revoking a user's consent automatically revokes all related access and refresh tokens. Don't use this method to invalidate user sessions.

If you are using access and refresh tokens as user sessions instead of browser cookies, you should revise your approach and usage of OAuth2.

Per-application basis

Use the Ory SDK to revoke user consent for a specific OAuth2 client:


import { Configuration, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
new Configuration({
basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
accessToken: process.env.ORY_API_KEY,
}),
)

export async function revokeConsent() {
const { data } = await ory.revokeOAuth2ConsentSessions({
subject: "some-user-id",
client: "some-client-id",
})
}

All applications

Use the Ory SDK to revoke user consent for all OAuth2 clients:


import { Configuration, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
new Configuration({
basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
accessToken: process.env.ORY_API_KEY,
}),
)

export async function revokeConsent() {
const { data } = await ory.revokeOAuth2ConsentSessions({
subject: "some-user-id",
all: true,
})
}