Revoke OAuth Token

Respect user privacy by enabling them to revoke unwanted OAuth tokens.

Server Side
Client Side

Users should be able to revoke access to their accounts. To revoke an OAuth token, send a request to the Revoke Token endpoint.

Before you start

Step 1: Add code to let users revoke access to their accounts

Create a PHP file called revoke_token.php and add code to let users to revoke access to their accounts. Make sure the revoke token page is in the same password-protected area as the main OAuth flow page.

<h2>Revoke Access to your Account</h2>
  Click the button below to close your account or revoke access to your Square

<form action="revoke_token.php" method="post">
  <input type="submit" id="submit" value="Revoke Access" />

Step 2: Add a function that revokes the OAuth token

Add a function (getAuthzCode) to call the OAuth API and revoke the access token.

// Define constants
if (!defined(_SQ_DOMAIN)) {
    define('_SQ_DOMAIN', "connect.squareup.com") ;
if (!defined(_SQ_APP_ID)) {
    define('_SQ_APP_ID', "{REPLACE_ME}") ;
if (!defined(_SQ_APP_SECRET)) {
    define('_SQ_APP_SECRET', "{REPLACE_ME}") ;

// Revokes access token
function revokeToken($accessToken) {

  $revokeRequestBody = array(
    'client_id' => _SQ_APP_ID,
    'access_token' => $accessToken,
  $encodedData = json_encode($revokeRequestBody);

  $requestHeaders = array(
    "Content-Type: application/json",
    "Accept: application/json",
    'Authorization: Client '. _SQ_APP_SECRET
  array_push($requestHeaders, "Content-Length: " . strlen($encodedData)) ;

  $curlHandle = curl_init(_SQ_DOMAIN. '/oauth2/revoke');
  curl_setopt($curlHandle, CURLOPT_POSTFIELDS, $encodedData);
  curl_setopt($curlHandle, CURLOPT_CUSTOMREQUEST, "POST") ;
  curl_setopt($curlHandle, CURLOPT_HTTPHEADER, $requestHeaders) ;
  curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, 1) ;
  $response = json_decode(curl_exec($curlHandle), true) ;
  curl_close($curlHandle) ;

  // Prints "Success!" if you successfully revoke the token.
  if (
      ($response == null) ||
      (!is_array($response)) ||
      (!array_key_exists('success', $response))
    throw new Exception("Error Processing Request: Revoke token failed!", 1);
  } else {
    $accessToken = " ";

If your request is successful, the Revoke Token will revoke the OAuth token and your code will print "Success!"

API Development 101 >

Ask for help on Stack Overflow or join our Slack channel