Access Token of Deleted App is still valid

Hello everyone,
Recently I’ve been working on the external App that pushes data to the Monday board.
For security reasons, we are not using API token, but instead, we are getting Access token from Monday with OAuth flow.
To configure OAuth I created APP with some required scopes only.
From the recent test, I’ve discovered that the issued access token always has access to the API.
Steps to reproduce:

  1. Create APP, grant read board access, get token via OAuth flow (using client_id & client_secret)
  2. Use API to read data from GraphQL (with access token)
  3. Remove read scope access on Monday side/ refresh client_secret and signing secret
  4. Use API with the same access token from step 2 - API retrieves data
  5. Delete APP, use read API - still worked

From the test, I see that the Access token is always valid, with a removed app and changed scope.
It’s a big security concern for us, could you please advise on this issue?

Thank you


After additional tests I have some updates for token invalidation, there are few ways to invalidate token:

  1. Publish and Install App, generate token and Unistall App.
  2. Publish and Install App, generate token and Delete App

If App is not Installed token always be valid, no matter how many new live versions developer will publish.

Hello there @AnnaPo,

Are you using a new major version to change the scopes?

Hello Matias, correct, for the last test with published versions, I’ve used major versions
All the major ver tokens stayed valid, until I’ve deleted or uninstalled application

@Matias.Monday Is there any updates regarding this question?
So we want to be sure that all tokens will be invalidated as soon as we remove app or change configuration of unpublished app or create a new version.

Also we discovered that access token can’t be refresh with refresh token, only access token provided, is there any plans to add refresh token to oAuth flow?

Hello again @AnnaPo,

Our team is checking this and will determine if a change is going to be made about it.

For now, the behaviour will remain as is. If this changes in the future, we will announce it in our changelog.

Let me know if you have any questions.