"Reset Token" does not reset access token

Under “Settings” within the Spark Build there is a blue button that reads “Reset Token”. Upon clicking that button, I am shown a new access token, and that access token works. The problem, however, is that my old access token continues to work. I am not sure why I’d ever want to request a new access token without invalidating my old one (for example, maybe it got leaked), and the expected behavior of “reset” in my mind is revoke old and grant new.

Requesting a list of my access tokens from https://api.spark.io/v1/access_tokens only displays the old access token and not the new one.

Here’s the strange part: if I reset my access token a 2nd time, the new token works but still isn’t listed via the API; the oldest token (the one listed via the API) continues to work, but the access token I had generated with the previous reset stops functioning.

Wow, this sounds like a high priority issue. I’d love to confirm this behavior but I have work to do today and would prefer not to mess up my cores / apps.

cc: @zach @zachary

We are aware of this issue. Originally, getting a new access token did invalidate old tokens; however problems arose when you had multiple services requesting access tokens (like the IDE vs. the mobile app), because they would invalidate each other. This caused stuff to break unexpectedly.

We put in place a temporary fix to allow old access tokens to continue working unless they are actively invalidated through the API.

The long-term solution is a complete OAuth implementation, but that hasn’t bubbled up to the top of the priority list. In the meantime i think there is a consistency issue with regards to how the access token is generated in the IDE (which is different than through the API), and I think we can fix that in the near future.

1 Like

Ok, good to know thanks. Sounds like all valid tokens are not being listed via the API though, so it might be hard to explicitly delete them if you have not written them all down as you were creating them.

This is pretty clear in the docs, maybe not that easy to find: “For now, Spark Build will list the single most recently created token.”

@jonathan Try explicitly deleting your old access_token via the API and then see if it stops working.

We solved this issue earlier this week. The change has not been deployed to production. We’ll probably roll it out on Monday.

1 Like

Thanks everyone… great to hear that a fix is already tee’d up.

This has been deployed.

The token displayed in the settings panel is for the “user” client. Clicking the reset token button now deletes the most recent user client token and generates a new one. If you have multiple user client tokens, you will need to explicitly delete the older ones. We shouldn’t delete those since we can’t be confident we created them.

When the user client token shown in the web IDE expires, a new one will not automatically be created. The token will be highlighted in red, and you will see a notice of the expiration beneath it in the settings drawer.

The web IDE now uses a separate token for the “spark-ide” client to make its verify and flash requests. This token will be automatically regenerated without any user intervention so that the web IDE always works.



Good stuff!

blah blah blah (for discourse)

I’m seeing the same behavior today.

@jernstlun can you share more information of what you are experiencing?

curl https://api ... -d access_token=TOKEN

works. I go to https://build.particle.io/build/new, click “reset token”. It gives me NEWTOKEN. Now:

curl https://api ... -d access_token=TOKEN
curl https://api ... -d access_token=NEWTOKEN

both work. At least they did within 10min of the reset, have not tried since.

Are you saying that the new access token did not work immediately or the old access token should expire the moment you reset it?

Judging by the topic title “Reset Token” does not reset token I’d say it’s the latter :wink:
Which would also explain the quote of the reset token command.

1 Like

Yeah but i wanted to be sure in order to report the issue :slight_smile:

@dave, any idea how long does it take to invalidate the access token upon reset in Build?

1 Like

Hi @kennethlimcp,

Hmm, I would think that would happen immediately, but lets ask @suda just to be sure.


1 Like

I am new with the platform and wonder why pressing the reset button in IDE settings, does not invalidate the previous token.

Confirmed in a browser afterwards also the day after with:

https://api.particle.io/v1/devices?access_token=[user token before reset in IDE]

In the CLI running $ particle token list the new user token after the reset in IDE is in the list, but the previous user token before the reset in the IDE is not in the list, despite still working in the http devices call above.

Is the status today that the previous user token must be deleted with the API or CLI?

Where can the previous user token be found for that purpose (I luckily copied it myself before pressing the reset button)?

There’s simply a delay. Try the access token that is invalidated again and it should not work already.

Let me know if that’s not the case!

The old token still works with mentioned http request. Just tried a different browser I seldom use - the old user token still works.

It is now between 20-24 hours since reset.

@suda can you check on this?

I’ve queued up fixing this for the following sprint. @thrmttnw in the mean time I can manually revoke the token if you’ll PM me it.