Currently the v3 API for deleting existing Authorizations (Tokens) requires Basic (username, password) authentication.
If the user of the app decides to delete their account / token, I need to ask them for credentials, possibly including an OTP to remove the existing oauth token. For context, this is a native client app, not a web app.
Delete an authorization is NOT mentioned in the Docs' Deprecation Notice removing token support for some of the existing OAuth Authorization API. The Delete an authorization entry also does NOT mention that Basic Authentication is required.
Is it possible Basic Authentication requirement was added to Delete an authorization by mistake?
Is there another way to delete an existing authorization using that authorizations token? To put it another way, is there a way for an app to clean up after itself without user interaction? (I'm specifically thinking about uninstallation of the app or explicit account removal within the app)
Would if be possible to remove the Basic Auth requirement from Delete an authorization when an app is trying to delete it's own authorization using that authorization's associated token?
If not, would it be possible to at least remove the OTP requirement from Delete?
It appears that the omission of the Basic Authentication requirement from the delete endpoint is a flaw in the documentation. You'll note that the documentation for the entire API states that Basic Authentication is required, this includes the delete endpoint.
I'll pass along the feedback to correct the documentation. Additionally, I'll pass along the request for not requiring the OTP on two-factor authentication but please note that it is highly unlikely that we're going to weaken two-factor authentication requirements. In any case, I can't make any promises of when or if either of these changes will be made, but the right people will hear your feedback.