POST /v2/authorizations/cancelTokenThe cancelToken endpoint is used to revoke an access token, effectively terminating the user’s authorization. Use this when a user wants to disconnect their account or when you need to invalidate tokens for security reasons.
Use Cases
User requests to unlink their Rebell account
User cancels their subscription
Security incident requiring token revocation
Account deletion or deactivation
Request Parameters The access token to revoke. Max length : 128 characters
Extended information for additional context. Max length : 2048 characters
Response Parameters Standard result object Result code (e.g., SUCCESS)
Status indicator: S (success), F (failure)
Human-readable result message
Example Request { "accessToken" : "281010033AB2F588D14B43238637264FCA5AAF35xxxx" }
Example Response { "result" : { "resultCode" : "SUCCESS" , "resultStatus" : "S" , "resultMessage" : "success" } }
Result Codes resultStatus resultCode Description Action SSUCCESSToken revoked successfully Clean up local token storage FPARAM_ILLEGALInvalid parameters Check request parameters FINVALID_ACCESS_TOKENToken is invalid or already revoked No action needed FPROCESS_FAILProcessing failed Retry the request UUNKNOWN_EXCEPTIONUnknown error Retry with backoff
Implementation Example async function disconnectUser ( userId ) { // Get the stored access token for this user const stored = await getStoredTokens ( userId ); if ( ! stored . accessToken ) { // Already disconnected or never connected return { success: true , message: 'User not connected' }; } try { const response = await rebellAPI . call ( '/v2/authorizations/cancelToken' , { accessToken: stored . accessToken }); if ( response . result . resultStatus === 'S' || response . result . resultCode === 'INVALID_ACCESS_TOKEN' ) { // Token revoked or already invalid - clean up local storage await deleteStoredTokens ( userId ); return { success: true , message: 'User disconnected' }; } throw new Error ( `Cancel failed: ${ response . result . resultMessage } ` ); } catch ( error ) { // Even on error, consider cleaning up local tokens // The token may already be invalid console . error ( 'Token cancellation error:' , error ); await deleteStoredTokens ( userId ); throw error ; } } // Usage in API endpoint app . post ( '/api/disconnect' , async ( req , res ) => { try { const result = await disconnectUser ( req . user . id ); res . json ( result ); } catch ( error ) { res . status ( 500 ). json ({ error: 'Failed to disconnect' }); } });
Handling Subscription Cancellation When a user cancels a subscription that uses agreement payments:
Cancel Subscription
Update your subscription system to mark the subscription as cancelled
Revoke Token
Call cancelToken to revoke the access token
Clean Up
Delete stored tokens from your database
Notify User
Confirm to the user that their payment agreement has been cancelled
async function cancelSubscription ( subscriptionId ) { const subscription = await getSubscription ( subscriptionId ); // 1. Mark subscription as cancelled await updateSubscription ( subscriptionId , { status: 'cancelled' }); // 2. Revoke the token if ( subscription . accessToken ) { try { await rebellAPI . call ( '/v2/authorizations/cancelToken' , { accessToken: subscription . accessToken }); } catch ( error ) { // Log but don't fail - token might already be invalid console . warn ( 'Token revocation failed:' , error ); } } // 3. Clean up stored tokens await deleteStoredTokens ( subscription . userId ); // 4. Notify user await sendEmail ( subscription . userId , { subject: 'Subscription Cancelled' , template: 'subscription-cancelled' }); return { success: true }; }
Best Practices After calling cancelToken, the associated refreshToken is also invalidated. The user will need to go through the full authorization flow to reconnect.
