Skip to main content
POST

Revoke Tokens

Revoke all tokens for a user, including their MCP Identity Token and stored OAuth tokens.

Request

Headers

X-API-Key
string
required
Your MCP Rank API key

Body Parameters

user_id
string
required
Your user’s unique identifier

Response

Returns 200 OK on success.

What Gets Revoked

When you call this endpoint:
  • MCP Identity Token (MIT) - Immediately invalidated
  • Refresh token - Can no longer be used
  • Stored OAuth tokens - Deleted from server (Google, etc.)
The user will need to re-authenticate to access their data again.

When to Revoke Tokens

  • User logout - When a user signs out of your application
  • Account disconnection - When a user wants to disconnect their Google account
  • Security concerns - If you suspect token compromise
  • User deletion - When removing a user from your system

Important Notes

Users can also revoke access from:
  • The MCP Rank dashboard
  • Their Google account settings (accounts.google.com/permissions)

Error Responses