Can I revoke a token programmatically?

I am currently writing an integration where we require the user to grant us permission temporarily via Oauth in order to retrieve some information and configure some items. My plan is to then revoke the token (It can be re-generated if changes are required) so that users don’t have to do it themselves.

Sorry if I’m missing something obvious but does PagerDuty not implement https://app.pagerduty.com/oauth/revoke? I tried accessing it but I get a 404 nor is it documented as a step like the others. The example provided with the bulk user editor doesn’t actually revoke permission, it simply deletes the token which doesn’t quite feel like the same thing to me.

Finally (and sorry about the potential confusion around terminology) once I develop an App and users connect to it where do they go to see that they are connected? Is Authorizing an app via Oauth the same as installing an App or are they separate? The reason I ask is that despite having authorized the app for my account, I don’t see it listed anywhere under Integrations, Add-ons, etc… Perhaps this is because it is only in draft mode or perhaps it’s something about the way I’m enabling it?

Ultimately, I guess I’m asking how the user can revoke permission to the App (assuming I’m not able to do it myself or if they want to verify) etc…

Thank you,

ps.

To address your questions in order,

(1) "Does PagerDuty not implement https://app.pagerduty.com/oauth/revoke?" - as you pointed out, the only example of doing so programmatically that we currently provide performs deletion as opposed to revocation of the token. Allow me to confirm with the team responsible for the functionality to see whether there is a better way than the deletion seen in our sample tool (https://github.com/PagerDuty-Samples/pagerduty-bulk-user-mgr-sample/blob/890d2d39723729d933de4e289ce23ec0ad133d51/js/pagerduty-bulk-user-mgr.js#L79-L81).

(2) “The reason I ask is that despite having authorized the app for my account, I don’t see it listed anywhere under Integrations, Add-ons, etc… Perhaps this is because it is only in draft mode or perhaps it’s something about the way I’m enabling it?” - I believe the answer would depend on the desired implementation of the app. For example, app event transformers (https://developer.pagerduty.com/docs/app-integration-development/app-event-transforms/) should be available from the integration dropdown of individual services on your account with your app still in draft mode. Based on your description of your app, however, I believe you are building something that interacts with our REST API, as opposed to Events API that App Event Transformers use. In that case, your options to making the app available to users would be to host it externally (like our sample app - https://pagerduty-samples.github.io/pagerduty-bulk-user-mgr-sample/), or create an add-on (for details on how to do it, see the last option of the API picker here - https://developer.pagerduty.com/docs/app-integration-development/api-picker/)

Kat,

Thanks for the reply. The only thing I can personally compare it to is an integration I did with Quickbooks online. They have a similar “App” mechanism which, when a user authorizes your App, it appears in a list along with a revoke button to remove access to the account.

The documentation for your App suggests that the same is possible -

Specifically “Allow PagerDuty Users to monitor and revoke access to your app at any time” which only seems possible if it’s actually visible within the PD UI.

Ultimately my implementation doesn’t require an on-going connection to the customer environment and my preference is to remove ourselves so that we can’t be caught up in the finger pointing if something goes wrong in the customer environment. While deleting the token on our end would technically mean that we couldn’t possibly do anything in the customer environment, my preference is to completely eliminate the possibility in the customer’s mind. If we can’t do this programmatically, I’d like to instruct the customer to do it manually but I can’t if I don’t know where it is within your UI.

Thanks again,

ps.

Thank you for waiting while I confirmed this internally! I can share that the existing options for revoking tokens are (1) Revoke all (by the app owner) in the developer mode flow, (2) revoke a single token through the user profile in the web UI (user profile > User Settings tab). There’s also an undocumented endpoint I can share with you for revoking tokens programmatically. For details, I’d prefer if you raised a support ticket with support@pagerduty.com, but I’d like to note that we discourage from using undocumented endpoints as much as possible, as any future changes may break your custom solutions utilising them.

Thanks Kat. I’m not a PD user so I’ve had limited time to go through the UI, I see the App and the revoke option. My preference is still to revoke it programmatically so I’ll open a case with support and we can keep an eye on the calls to ensure that they’re working.

Thanks again,

ps.

Thank you for confirming! See you on the ticket!