Security issue: Revoking access - access token not revoked
I've been testing out a connection to a 3rd party app. When I revoke access to the app in my Hubspot account settings, I can still make successful API calls for around 20 mins. Looks like the access token is not revoked and I only start to get failures when it needs to be refreshed.
Access via API should be revoked immediately when the app is disconnected.
When you revoke access to a third-party app in HubSpot, the existing access token remains valid until it expires (typically 15-20 minutes). This delay happens because the token isn't immediately invalidated; it only fails once it tries to refresh.
For immediate revocation, ensure your system checks token status before sensitive actions, or manually expire the token if possible. This is a common behavior with OAuth tokens, but important for security awareness.