Token revoking - how does it work exactly


I’ve got two questions about authentication system.

  1. Is it possible that token was revoked before it expired? Is it possible to manually revoke a token?
  2. Is it normal and expected behavior that “old” token still works even if I have already generated new one?

I’m creating a client for Stuart in Python (there’s no sdk for it unfortunately) and I want to be prepared for situation when token is not expired yet, but API gives me a message that it was revoked.

I’ve seen this topic: When should I renew my oAuth2 access token? but it doesn’t answer my question.

Thank you!

Hello @michalsut,

Answering your questions:

  1. It’s unlikely but possible that a token is invalid when using it before its expiration time. There are multiple reasons for this. One of them, being us detecting a token being compromised. We’d revoke it immediately so if you continue using it on your side, our servers will respond with a 401.
  2. It’s expected behavior. Newly generated tokens do not expire nor revoke previous tokens.

Something I would encourage you to do @michalsut, is to add a delay after generating a token so that you give enough time for the replicas to sync with the main database the newly generated token. During peak hours, we might face a 1-2 seconds delay between master and replicas.
In the past we’ve seen integrators having troubles with a newly generated token because of this.

If you would like to make this Stuart python client open source, we will link it in our documentation so that others can benefit from it.

Let us know if you have any other doubt.

Thank you,

Thanks a lot @Sergi for explanation! I will take care of the delay.

Unfortunately, this client is a part of a bigger project and Stuart integration is strongly connected to the business logic so it’s not possible to share the solution. But maybe one time I’ll do something open-source :slight_smile:


1 Like

An update regarding the following point:

The known issue of replica delay which was causing some integrators to experience “token revoked” errors has now been resolved on our platform. Although adding a delay as mentioned above will certainly cause no harm, it is no longer a requirement as the replica sync issue has been resolved at it’s core. Our tips and best practices regarding authentication can now be found in our related oAuth authentication post.

1 Like