Provide an API for revoking access tokens

[teckays]

Our use case is simple. We need a programmatic way to revoke user's access/refresh tokens (like any other normal oAuth). The main reason behind it is because we need to ensure that we're always in sync with the authorization status. Having our users head over to Apps page as described here is a no-go since this could cause corrupted data which would in turn lead to support tickets and angry customers.

There are really only 2 approaches:

1. Delete the token on our end then ask the user to revoke the app from Apps page, which will cause an error if the user forgets to revoke it on Spotify then tries to re-connect with our app again
2. Ask the user to revoke it on Spotify first then rely on the fact that they will revoke it in our app as well which causes even more problems in the way we handle these 3rd party applications internally.

None of the above solutions ensures 100% synchronisation between user's decision and the data we store.

[hughrawlinson]

Thank for the feature request, we'll look into providing this. Having said that though, if you delete your token and your user forgets to revoke access, when they try and re-auth you can just save the new refresh token, it shouldn't necessarily cause an error.

[teckays]

Thank you @hughrawlinson for the answer. Re-auth-ing works as you mentioned, the main problem though would be to mislead the users that revoke on our end and then see the app still being in the app list when they login to Spotify.

[hughrawlinson]

Hey @teckays, please feel free to keep this issue open, if it gathers interest from the community we may be able to prioritize it in the future!

[kasperkamperman]

This would be really a user friendly option. I think users should also be able to revoke access on my application page by clicking a button. Facilitating this through the api or with a specific link towards my application to revoke it on Spotify (instead of letting the user browse the whole list with Approved Applications).

[jscholes]

I think users should also be able to revoke access on my application page by clicking a button.

I don't agree. When a user carries out this action via the Spotify website, they are reasonably reassured that this is being handled on Spotify's side. If they come across an application which is a bad actor, they know that they can cut it off for good. If you start moving that option over to apps themselves, the user doesn't have that reassurance. What if an app claims to have de-authorized itself when it hasn't? If a user's account is subsequently misused, is it a reasonable defence for them to say that they just didn't check the Spotify website afterwards? And if users are encouraged to check their account settings anyway, de-authorizing an app without going there loses all of its perceived value.

[bih]

I don't think this provides any users with significant value, largely for the reasons @jscholes mentions. The only benefit I can see is that it allows developers to be "good citizens" in revoking access for a user they don't need anymore.

For this reason, we will not consider it as-is for the next 6 months. I will close this as wontfix as a result. Feel free to comment or create a new issue with new use cases if you have them, and we can revisit this particular request!

Cheers 👍

[kasperkamperman]

Ok, I understand the reasons that @jscholes mentions regarding the API. Nonetheless right now I can only point the user to their app permissions overview (which is in my personal case a long list): https://www.spotify.com/account/apps/

A more specific link (it could even be a anchor tag) could be use to show the specific application/description/revoke link directly to the user.