Delete authorization not working with user Octokit

I have a GitHub App and I’m authorising the installing user via OAuth. Immediately after installation I use that access to obtain a few details about the installing user, but then I’m done, and I want to delete that OAuth authorisation. However, I can’t get it to work.

I create an App ( from octokit/app):

const app = new App({
  appId: "...",
  privateKey: "...",
  oauth: {
    clientId: "...",
    clientSecret: "...",

When a user installs my app, I receive a code parameter from GitHub for the auth’d user. I use getUserOctokit with this:

const octokit = await app.oauth.getUserOctokit({ code })

With this I do things like inspect the installations this user has made, i.e. it appears to work correctly.

When I’m done, I try to remove this authorisation:

await octokit.auth({ type: "deleteAuthorization" })

However, this fails with a 400 error with the body:

{ error: 'bad_verification_code',
  error_description: 'The code passed is incorrect or expired.',
  error_uri: '' } } }

I can see from the error that the original code parameter is being sent to the server, not the access token for which it was exchanged.

   { method: 'POST',
     baseUrl: '',
      { accept: 'application/json',
        'user-agent': 'octokit-core.js/3.3.2 Node.js/10.23.2 (darwin; x64)' },
     mediaType: { format: '', previews: [] },
     url: '/login/oauth/access_token',
     client_id: '...',
     client_secret: '...',
     code: 'abc123etc' }

How can I get it to use the token instead of code. Or is there a better way to do this?


1 Like