New Security Enhancements for Revoking Access Tokens

Jonathan LeBlanc
Sep 18, 2019 · 2 min read
Token Revocation API Documentation at

We’re happy to announce new enhancements around how you can manage the secure revocation of access tokens within Box. We are extending the capabilities of the /revoke endpoint to provide the ability to revoke both standard fully scoped access tokens (current functionality), as well as downscoped tokens (new functionality).

What are access tokens and what’s changing?

Even if you’re not familiar with what an access token is, you will have interacted with them if you’ve made API calls to Box. Think of an access token as your skeleton key that grants an application permission to access data for other users and do things on their behalf. A downscoped token is a variant of the access token, which you encode to restrict access to only certain functions (e.g. read, write, download) for only a certain file or folder — this is ideal for exposing tokens within potentially unsecure environments, such as front-end code, mobile environments, hardware, and others.

Up until this launch, the /revoke endpoint could only revoke fully scoped access tokens that don’t go through the downscoping process, but couldn’t revoke any tokens that had gone through the downscoping process. You now have the ability to revoke both.

What does this mean for you?

The ability to revoke downscoped tokens provides you with a larger degree of control over your security within potentially unsecure environments. Although these downscoped tokens only live for an hour before they self-expire, you may want to further restrict their lifespan to only the window of time that they are required to decrease potential data exposure. This new feature enables a number of new token workflows, such as revoking downscoped tokens when:

  • A user leaves you site or logs out instead of letting it expire on its own.
  • You’ve identified suspicious user actions and want to force an additional verification step for the user to ensure they are who they say they are.
  • You need to push new security enhancements to your site or service and want to force everyone off of existing tokens.

As always, your feedback on security and product needs powers how Box Platform is built and enhanced. If you have suggestions on new products, enhancements, or issues we’d love to hear what you think over at Box Pulse, which helps us to enable more transparent requests and build processes at Box.

Happy coding!

Box Developer Blog

News and stories for working with the Box APIs

Jonathan LeBlanc

Written by

Emmy award winner, O'Reilly author, open source contributor, Director of Developer Advocacy at Box.

Box Developer Blog

News and stories for working with the Box APIs

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade