--- title: /users/user/oauth2/applications description: Invoke this Advanced Identity Cloud-specific endpoint to list the applications granted OAuth 2.0 access and to delete tokens for a specified client. This lets you manage the tokens granted to applications on behalf of a resource owner. component: pingoneaic page_id: pingoneaic:am-oauth2:rest-api-oauth2-applications-endpoint canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/rest-api-oauth2-applications-endpoint.html keywords: ["OAuth 2.0", "API Explorer", "Endpoints", "Clients"] page_aliases: ["oauth2-guide:rest-api-oauth2-applications-endpoint.adoc"] section_ids: list_clients_with_active_tokens: List clients with active tokens delete_tokens_for_a_client: Delete tokens for a client --- # /users/user/oauth2/applications Invoke this Advanced Identity Cloud-specific endpoint to list the applications granted OAuth 2.0 access and to delete tokens for a specified client. This lets you manage the tokens granted to applications on behalf of a resource owner. For example, you can revoke all tokens for a resource owner across all clients after a password change or a suspected account compromise. To do this: 1. Query the applications endpoint to list all clients with active tokens for the resource owner. 2. Delete the tokens for each client returned. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This approach revokes all tokens held by each client for the specified resource owner. If you want to revoke a single known access token or refresh token, use the [/oauth2/token/revoke](oauth2-token-revoke-endpoint.html) endpoint instead. | To call the endpoint, you must compose the path to the realm where the client is registered. ## List clients with active tokens This example lists all the OAuth 2.0 clients holding active tokens granted in the `alpha` realm for the resource owner, `bjensen`. You must provide the SSO token of the tenant administrator or the resource owner as a header, and include the `_id` of the resource owner (`bjensen`) in the URL: ```bash $ curl --request GET \ --header "Accept-API-Version: resource=1.1" \ --header ": Ua6fsH2vjgHqVY..." \ "https:///am/json/realms/root/realms/alpha/users/1dff18dc-ac57-4388-8127-dff309f80002/oauth2/applications?_queryFilter=true" ``` On success, Advanced Identity Cloud returns an HTTP 200 code and a JSON object describing each OAuth 2.0 client that currently holds at least one active access or refresh token for the specified resource owner. For example: ```json { "result": [ { "_id": "myClient", "_rev": "-1121350941", "name": "My client name", "scopes": { "write": "write" }, "expiryDateTime": "2027-04-23T16:40:55.000Z", "logoUri": null }, { "_id": "anotherClient", "_rev": "987654321", "name": "Another client name", "scopes": { "read": "read", "openid": "openid" }, "expiryDateTime": null, "logoUri": null } ], "resultCount": 2, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 } ``` **Response fields** | Field | Description | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | `_id` | The client ID of the OAuth 2.0 client that holds tokens on behalf of the resource owner. | | `name` | The display name of the client, if configured. Returns `null` if no display name is set. | | `scopes` | The scopes granted to this client by the resource owner, collected across all active access and refresh tokens for this resource owner and client. | | `expiryDateTime` | The expiry date of the longest-lived token held by this client for the resource owner. Returns `null` if the tokens have no expiry. | | `logoUri` | The URI of the client's logo, if configured. Returns `null` if no logo URI is set on the client. | ## Delete tokens for a client The following example deletes all tokens held by the OAuth 2.0 client `myClient` granted in the `alpha` realm by `bjensen`. You must provide the SSO token of the tenant administrator or the resource owner as a header, and include the `_id` of the resource owner (`bjensen`) and `_id` of the client (`myClient`) in the URL: ```bash $ curl --request DELETE \ --header "Accept-API-Version: resource=1.1" \ --header ": Ua6fsH2vjgHqVY..." \ "https:///am/json/realms/root/realms/alpha/users/1dff18dc-ac57-4388-8127-dff309f80002/oauth2/applications/myClient" ``` On success, Advanced Identity Cloud returns an HTTP 200 code and a JSON object with information about the deleted tokens, such as the granted scopes and ID of the client. For example: ```json { "_id": "myClient", "_rev": "-1121350941", "name": "My client name", "scopes": { "write": "write" }, "expiryDateTime": "2027-04-23T16:40:55.000Z", "logoUri": null } ``` Repeat this request for each client `_id` returned when you queried the applications endpoint to delete all tokens for the resource owner across all clients.