What are the different ways the API v3 responds when a user revoked their access?

[cyrilchandelier]

So far I have seen two:

• refresh_token is revoked
• access token has been revoked

But I'm wondering if there are more out there.

[simonj]

I just call this endpoint "https://api.etsy.com/v3/public/oauth/token" with a refresh token , client_id, client_secret and grab the new access_token and refresh token if it's expired

[cyrilchandelier]

I was referring to when a token is "revoked" and not when it is "expired".

Tokens can be revoked when the user:

• revoke access from the Etsy integrations page (https://www.etsy.com/your/shops/me/integrations/installed)
• when the user changes their password on Etsy (so I heard, I did not find it documented anywhere)
• ??? surely there are some other cases

[showtroylove]

The important notion is captured in the error code, which typically aligns with HTTP status codes. So, 401 to 403 are used to imply reauthorization is required. Your question about explicit revocation by the user would require you to rerun the OAuth2 authorization process anew to have the user regrant access. Doing as @cyrilchandelier suggests will fail repeatedly, as it only implies an expired access and/or refresh token.

Token	Error Code	Resolution
Access Token Expiry	400	Refresh the access token using the refresh token.
Refresh Token Expiry	401	You must perform the OAuth2 authorization process again.
Revoked OAuth	403	You must perform the OAuth2 authorization process again.