New Security Enhancements for Revoking Access Tokens

Jonathan LeBlanc
Sep 18, 2019 · 2 min read
Image for post
Image for post
Token Revocation API Documentation at

We’re happy to announce new enhancements around how you can manage the secure revocation of access tokens within Box. We are extending the capabilities of the /revoke endpoint to provide the ability to revoke both standard fully scoped access tokens (current functionality), as well as downscoped tokens (new functionality).

What are access tokens and what’s changing?

Even if you’re not familiar with what an access token is, you will have interacted with them if you’ve made API calls to Box. Think of an access token as your skeleton key that grants an application permission to access data for other users and do things on their behalf. A downscoped token is a variant of the access token, which you encode to restrict access to only certain functions (e.g. read, write, download) for only a certain file or folder — this is ideal for exposing tokens within potentially unsecure environments, such as front-end code, mobile environments, hardware, and others.

Up until this launch, the /revoke endpoint could only revoke fully scoped access tokens that don’t go through the downscoping process, but couldn’t revoke any tokens that had gone through the downscoping process. You now have the ability to revoke both.

What does this mean for you?

The ability to revoke downscoped tokens provides you with a larger degree of control over your security within potentially unsecure environments. Although these downscoped tokens only live for an hour before they self-expire, you may want to further restrict their lifespan to only the window of time that they are required to decrease potential data exposure. This new feature enables a number of new token workflows, such as revoking downscoped tokens when:

As always, your feedback on security and product needs powers how Box Platform is built and enhanced. If you have suggestions on new products, enhancements, or issues we’d love to hear what you think over at Box Pulse, which helps us to enable more transparent requests and build processes at Box.

Happy coding!

Box Developer Blog

News and stories for working with the Box APIs

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store