Manage refresh tokens

View the list of active tokens generated by the Genero Identity Provider (GIP), and revoke tokens if necessary.

The GIP manages tokens. When a user accesses a secure application, the GIP issues an access token and a refresh token. Access tokens are valid for a specific period of time, after which they must be renewed. The refresh token allows the access token to be renewed at intervals, without prompting the user to log in again. The access token continues to be refreshed until the user closes the application. At that time, the refresh token is removed by the GIP.


If the user does not close the application properly, the refresh token is not removed. The GIP will discard it after one week.

From the Console App, you can revoke the refresh token.

The GetToken program provides a set of command line options for working with access tokens.

Token details

Select Security > Tokens to view the list of tokens.

For each active token, you can view the following:
  • Token - The refresh token string.
  • Application - The application that the token was issued for.
  • User - The user that requested access to the application.
  • Expires - The expiry date of the token.
  • URI - The redirect URI. This is the callback URI to the GAS where the application is started. In the case of a distributed environment, it specifies which GAS the application is started on. It identifies where the access token corresponding to the refresh token has been delivered.
  • Scopes - The list of scopes encoded in the access token.

Revoke a refresh token

Revoking means you remove the ability to renew the access token granted in the refresh token. After revoking a token, if the user is logged in to the application, they will be able to continue to use the application until the next time a refresh is needed. The refresh will not occur, and the user will need to restart the application and log in again.

To revoke a token, select the token (by using the checkbox) and click Revoke.

To prevent the user from restarting the application, revoking the refresh token is not enough. You must remove the scopes that allowed the user to access the application.