Revoking Access Tokens
Nylas <ACCESS_TOKEN>
never expire. You have to revoke the <ACCESS_TOKEN>
. If you ever need to reauthenticate an account, you can have more than one <ACCESS_TOKEN>
for an account.
While Nylas an <ACCESS_TOKEN>
never expires, it is possible for them to become invalidated or deauthenticated.
Revoking Tokens
Since Nylas access tokens never expire, we recommend revoking former Nylas access tokens when you reauthenticate accounts. You can use the Account Management /revoke-all endpoint with the keep_access_token
body parameter to ensure former access tokens are revoked.
- Authenticate a Google account and get initial
<ACCESS_TOKEN>
. - User changes their password, so account becomes invalidated but the initial Nylas
<ACCESS_TOKEN>
is still active. - Reauthenticate the Google account and get a new
<ACCESS_TOKEN>
for the account. - Call
/revoke-all
endpoint withkeep_access_token=<ACCESS_TOKEN>
using the new access token from Step 3.
Gmail Limitations
If you use the /revoke-all endpoint, and don't use the keep_access_token
to keep at least one access token, the Gmail refresh_token
is also revoked.