Revoking Access Tokens
<ACCESS_TOKEN> never expire. You have to revoke the
<ACCESS_TOKEN>. If you ever need to reauthenticate an account, you can have more than one
<ACCESS_TOKEN> for an account.
While Nylas an
<ACCESS_TOKEN> never expires, it is possible for them to become invalidated or deauthenticated.
Since Nylas access tokens never expire, we recommend revoking former Nylas access tokens when you reauthenticate accounts. You can use the Account Management /revoke-all endpoint with the
keep_access_token body parameter to ensure former access tokens are revoked.
- Authenticate a Google account and get initial
- User changes their password, so account becomes invalidated but the initial Nylas
<ACCESS_TOKEN>is still active.
- Reauthenticate the Google account and get a new
<ACCESS_TOKEN>for the account.
keep_access_token=<ACCESS_TOKEN>using the new access token from Step 3.
If you use the /revoke-all endpoint, and don't use the
keep_access_token to keep at least one access token, the Gmail
refresh_token is also revoked.