Revoking Access Tokens
<ACCESS_TOKEN> never expires. If you want to stop using it, you'll have to revoke it. If you ever need to re-authenticate an account, you can have more than one access token for an account.
Even though a Nylas access token never expires, it's possible for them to become invalidated or de-authenticated.
Since Nylas access tokens never expire, we recommend revoking former Nylas access tokens when you re-authenticate accounts. You can use the Account Management /revoke-all endpoint with the
keep_access_token body parameter to ensure former access tokens are revoked. An example workflow is described below:
- Authenticate a Google account and get the initial
- The user changes their password and the account becomes invalidated. However, the initial Nylas
<ACCESS_TOKEN>is still active.
- Re-authenticate the Google account and receive a new
<ACCESS_TOKEN>for the account.
- Call the
keep_access_token=<ACCESS_TOKEN>using the new access token from Step 3.
If you use the /revoke-all endpoint, and don't use the
keep_access_token to keep at least one access token, the Gmail
refresh_token is also revoked.