Skip to content

How do I revoke an API token?

Requires Basic

Open Administration → API Tokens, find the token (name/prefix), and choose Revoke — after confirming “Revoke this token?”, it becomes immediately and permanently invalid. A revocation cannot be undone; if needed, simply create a new token.

  1. Identify the token. Administration → API Tokens. Match the entry by name and prefix (the first 12 characters, e.g., inv_9f3kX2mQ) — the prefix also appears at the start of the value in your integration. Last used helps you judge whether it’s still needed.

  2. Revoke. Click the entry’s Revoke action and confirm “Revoke this token?”. The entry disappears from the list; every further request with this token fails from that point on.

  3. When rotating: replace first, then revoke. If an integration is running in production: first create a new token, switch the integration over, verify it works — then revoke the old one. That way there’s no downtime.

  • A hard, immediate cut. Revocation deletes the token record (no soft delete). Since every API request checks the token live via a hash lookup, the revocation takes effect on the next request — there are no sessions or caches that keep running.
  • No restoring it. Because only the hash existed server-side, a revoked token can neither be reactivated nor shown again. Replacement = a new token.
  • Alternative ways to invalidate a token. Besides revocation, both the expiration date (expires_at) and deactivating the owner’s account also invalidate a token — the latter is the emergency stop for administrators when someone else’s account is affected (deactivating a user).
  • Ownership is strictly checked. The endpoint filters on your user and tenant: other users’ tokens can’t be found (404 instead of 403 — no existence disclosure).