How do I revoke an API token?
Short answer
Section titled “Short answer”Open Administration → API Tokens, find the token (name/prefix), and choose Revoke — after confirming “Revoke this token?”, it becomes immediately and permanently invalid. A revocation cannot be undone; if needed, simply create a new token.
Prerequisites
Section titled “Prerequisites”Instructions
Section titled “Instructions”-
Identify the token. Administration → API Tokens. Match the entry by name and prefix (the first 12 characters, e.g.,
inv_9f3kX2mQ) — the prefix also appears at the start of the value in your integration. Last used helps you judge whether it’s still needed. -
Revoke. Click the entry’s Revoke action and confirm “Revoke this token?”. The entry disappears from the list; every further request with this token fails from that point on.
-
When rotating: replace first, then revoke. If an integration is running in production: first create a new token, switch the integration over, verify it works — then revoke the old one. That way there’s no downtime.
Revocation is a DELETE on the token (the list provides the id):
curl -H "Authorization: Bearer inv_dein_token" \ https://demo.notory.io/api/v1/api-tokenscurl -X DELETE https://demo.notory.io/api/v1/api-tokens/018f9e33-4d5e-7f66-a071-8b9c0d1e2f30 \ -H "Authorization: Bearer inv_dein_token"{ "success": true, "message": "API token revoked" }A call using the revoked token now returns:
{ "detail": "Invalid or expired API token" }Possible errors: 404 (token ID doesn’t exist or belongs to another user — other
users’ tokens are invisible to you), 401 (the request itself isn’t authenticated).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- A hard, immediate cut. Revocation deletes the token record (no soft delete). Since every API request checks the token live via a hash lookup, the revocation takes effect on the next request — there are no sessions or caches that keep running.
- No restoring it. Because only the hash existed server-side, a revoked token can neither be reactivated nor shown again. Replacement = a new token.
- Alternative ways to invalidate a token. Besides revocation, both the expiration
date (
expires_at) and deactivating the owner’s account also invalidate a token — the latter is the emergency stop for administrators when someone else’s account is affected (deactivating a user). - Ownership is strictly checked. The endpoint filters on your user and tenant:
other users’ tokens can’t be found (
404instead of403— no existence disclosure).