The DeleteToken API allows users and devices to delete their own Tokens or Account Owners to delete devices and users' Tokens, essentially logging a user or a device out of a token-based authentication session. If a Token cookie was sent in the request, this API also attempts to delete the Token cookie from the user's browser by setting the cookie expiry in the response.
In Apstrata, all requests must be authenticated. There are four methods for authenticating Apstrata requests:
- Default Signature: This is the most secure method of authentication because it requires hashing all content of a request along with the secret of the account or the password of the user or the device and then sending the hash. (read more)
- Simple Signature: This is the easiest method of authentication. It requires hashing a few select parameters along with the secret of the account or the password of the user or the device and then sending the hash. It is recommended for testing and for applications that do not have access to all parameters, e.g., files, in a request. (read more)
- Token-Based Authentication: This is the recommended method of authentication for applications that make most requests with Apstrata users and devices, as opposed to owners, for use with SSL encrypted connections over HTTP POST. It provides a similar experience to sessions since a Token is generated and renewed over a period of time, without the need to generate a signature for every request. (read more)
- Bearer Token Authentication: This authentication allows the users and devices to issue a request using a bearer token in the header. In order to issue a request with a token bearer header, you first need to generate a token for a user or a device. Users and devices make authenticated requests with a bearer token using the Authorization request header field. (read more)
A Token can be used to authenticate a user or a device in place of a signature. This allows the creation of applications that do not need access to the passwords of the users and devices which are required for signature generation. Tokens provide a layer of simplicity, but must obey the following restrictions:
- Token-based authentication is enabled for user and device requests only. Owner requests must use signatures.
- Token-based authentication is enabled under secure (https) connections only.
When no longer needed, Token can be deleted and cleared using DeleteToken.
Specific Request Parameters
(Refer to Common Request Parameters)
Unlike other APIs, the "apsdb.authToken" and "apsws.id" parameters are not just used to authenticate the request but also to specify which user or device token to delete. Although these parameters are not mentioned below, they are required for a user or a device to delete their own token.
This parameter has to be sent by the account owner to specify the list of users and/or devices identifiers whose tokens are to be deleted. When sending this parameter, "apsdb.authToken" and "apsws.id" parameters should not be sent.
Note: The owner can delete up to 100 device or user in the same request.
Comma separated list of device's or user's ids
Specific Logical Errors
(Refer to Common Logical Error Codes)
Duplicate value not allowed for parameter "apsdb.authToken"
The parameter [paramName] is not allowed in DeleteToken
The parameter [idList] is not allowed for user or device requests.
The parameter list [idList,userList] is not allowed for user or device requests.
Could not find the token [token]
The parameter idList is required
The parameter apsdb.authToken is required.
The parameter idList should not contain more than 100 identifiers.
DeleteToken is not allowed over non-secure connections.
Invalid originating referrer from the Referer header [RefererHeaderString]
Sample JSON Response