How to use disable_access_token

The auth works the same way as any other Core API method. E.g.

curl -X POST https://api.dropbox.com/1/disable_access_token -H "Authorization:Bearer <access token>"

Ok, thanks for your answer - works fine
But why is that user not unlinked in my app console? In development state, i have 100 users free. But the token disable does not delete that user from my linked users. It's still 1 / 100 :-/

That user probably has more than one access token, and you only unlinked one of them.

@Steve M: Is this valid for OAuth2 tokens only? I was trying to disconnect a user with a oath (1) token but with no luck.

@Steve M: To clarify the question, your documentation reads (https://www.dropbox.com/developers/core/docs#disable-token): "Disables the access token used to authenticate the call. This method works for OAuth 1 and OAuth 2 tokens." But with the auth you mentionned there is always an error: {"error": "The given OAuth 2 access token doesn't exist or has expired."} So no luck with OAuth 1 tokens anymore?

I am working on chrome extension where I am using the token flow for user authorization and obtaining the access token. When the user logs in first time it works normally, asks for login credentials and all, once the user logs out a call is sent to disable_access_token to disable the access token which returns sucessfully with an empty json dictionary. Now when a user again clicks on the login button the app logs in without even asking for login credentials, why is it so.

Ok I figured it out, basically the access_token is disabled but the user is not unlinked from the app(as checked in app console on Dropbox) which means the user is simply not logged out of the app, merely the access_token is disabled, so how to ensure that the user gets unlinked as well ?

Sorry for the late reply on this thread!

disable\_token should, as the documentation says, work with both OAuth 1 and OAuth 2. I would double-check to make sure you're using a valid OAuth 2 token (and properly authing the request via OAuth 2, typically an Authorization header value of "Bearer <token>".

Kunal, as long as the user has at least one valid access token, they'll be automatically redirected (without having to "allow"). If you disable all of a user's tokens for your app, this won't happen. You can also pass ?force_reapprove=true as per the documentation if you want to force the user to have to approve your app again.