Skip to main content

Manage user authorized apps (grants)

App grants represent user authorization state for specific client applications.

Use grants management when users or admins need to review authorized apps and revoke app access without revoking the whole Logto session.

When grants are revoked, previously issued opaque access tokens and refresh tokens for those grants are invalidated.

Choose the right path

ScenarioRecommended path
Let signed-in users manage their own app authorizationsAccount API
Let admins or support teams manage grants for a target userManagement API
Let operators manage third-party app authorizations in UIAdmin Console

Direct grant management APIs

Account API (self-service)

Use Account API in end-user account settings pages:

Management API (admin tools)

Use Management API in admin tools and support workflows:

Filter grant list by app type

Grant listing endpoints support optional query parameter appType:

  • appType=firstParty: List first-party app grants only.
  • appType=thirdParty: List third-party app grants only.
  • Omit appType: Return all active grants.

Manage third-party app authorizations in Console

In Logto Console, use the user details page to view and revoke authorized third-party apps.

Revoke grants when revoking a session

When revoking a session via DELETE /api/my-account/sessions/{sessionId}, use optional query parameter revokeGrantsTarget to control grant revocation scope:

  • all: Revoke grants for all apps associated with the session.
  • firstParty: Revoke grants for first-party apps only.

For session-level behavior and endpoint context, see Manage user sessions and Sign-out.

Sessions Manage user sessions

Account settings by Account API: Manage user authorized apps (grants)

Account settings by Management API: Manage user authorized apps (grants)