Skip to main content

Revoke user consent

If you are looking to revoke a user's consent in Ory OAuth2 and OpenID Connect, you can do so easily using the following steps:

Per Application Basis

Use the Ory SDK to revoke a user's consent for a specific OAuth2 client:


import { Configuration, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function revokeConsent() {
  const { data } = await ory.revokeOAuth2ConsentSessions({
    subject: "some-user-id",
    client: "some-client-id",
  })
}

All Applications

Use the Ory SDK to revoke a user's consent for all OAuth2 clients:


import { Configuration, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function revokeConsent() {
  const { data } = await ory.revokeOAuth2ConsentSessions({
    subject: "some-user-id",
    all: true,
  })
}

Important Note

Please note that revoking a user's consent will automatically revoke all related access and refresh tokens. However, do not use this endpoint to invalidate user sessions. If you are using access and refresh tokens as user sessions instead of browser cookies, you should revise your approach and usage of OAuth2.