Child pages
  • DeleteToken
Skip to end of metadata
Go to start of metadata


The DeleteToken API allows users to delete their own Tokens or Account Owners to delete users' Tokens, essentially logging a user out of a token-based authentication session. If a Token cookie was sent in the request, this API also attempts to delete the Token cookie from the user's browser by setting the cookie expiry in the response.

In apstrata, all requests must be  authenticated. There are three methods for authenticating apstrata requests:

1. Default signature: This is the most secure method of authentication because it requires hashing all content of a request along with the secret of the account or the password of the user and then sending the hash. (read more)

2. Simple signature: This is the easiest method of authentication. It requires hashing a few select parameters along with the secret of the account or the password of the user and then sending the hash. It is recommended for testing and for applications that do not have access to all parameters, like files, in a request. (read more)

3. Token-based authentication: This is the recommended method of authentication for applications that make most requests with apstrata users, as opposed to owners, for use with SSL encrypted connections over HTTP POST. It provides a similar experience to sessions since a Token is generated and renewed over a period of time, without the need to generate a signature for every request. (read more)

A Token can be used to authenticate a user in place of a signature. This allows the creation of applications that do not need access to the users password which is required for signature generation. Tokens provide a layer of simplicity, but must obey the following restrictions:

1. Token-based authentication is enabled for user requests only. Owner requests must use signatures.

2. Token-based authentication is enabled under secure (https) connections only.

Tokens can be created or renewed using VerifyCredentials and can then be passed as a parameter to requests instead of the signature.

When no longer needed, Tokens can be deleted and cleared using DeleteToken



Specific Request Parameters

(Refer to Common Request Parameters)

Unlike other APIs, the "apsdb.authToken" and "apsws.user" parameters are not just used to authenticate the request but also to specify which token for which user to delete. Although these parameters are not mentioned below, they are required for a user to delete their own token.





Possible Values


This parameter has to be sent by the account owner to specify the list of user logins whose tokens are to be deleted. When sending this parameter,"apsdb.authToken" and "apsws.user" parameters shouldn't be sent.



[The list of user logins whose tokens are to be deleted.]

Specific Response Elements

(Refer to Common Response Elements)

Specific Logical Errors

(Refer to Common Logical Error Codes)



Status Code


The parameter [paramName] is not allowed in DeleteToken



Invalid originating referrer from the Referer header [RefererHeaderString]



Could not find the token [token]



Failed to update user [username]



The parameter userList is required



The parameter apsdb.authToken is required



The parameter userList should not contain more than 100 users




Sample Request

Request URL:[AuthenticationKey]/DeleteToken?apsws.time=[timestamp]&apsws.authSig=[signature]

POST parameters:


Sample Response

Success XML:

<response xmlns="">

Failure XML:

<response xmlns="">

Sample JSON Response

{"response": {
    "metadata": {
        "requestId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "status": "success"



  • No labels