Commit 316a3dfc authored by Eric Eastwood's avatar Eric Eastwood

Add docs on how to invalidate a GitHub and Gitter access tokens

parent 81939dc3
Pipeline #109051365 passed with stages
in 39 minutes and 36 seconds
......@@ -174,12 +174,54 @@ Once you are sure the above is done, preform the following:
- You can access the homepage even when signed in by using the `?redirect=no` query - (http://localhost:5000/?redirect=no)
### Easily get your access token
### Easily get your Gitter access token
1. You can get your access token by running `troupeContext.accessToken` in the browser's DevTools console
### Sign in with access token
### Sign in with Gitter access token
1. Open Gitter in a different browser using the `access_token` query parameter, `<your token>`
If you are using the desktop app, you can follow [these steps to manually authorize](
### Invalidate Gitter access token
You can use the handy utility script: `scripts/utils/delete-token.js`
Or you can simply delete the token from the database,
$ ssh
$ mongo
> use gitter
> db.oauthaccesstokens.findOne({ token: 'xxx' })
> db.oauthaccesstokens.remove({ token: 'xxx' })
### Invalidate a GitHub access token
If a GitHub token leaks, we can invalidate with the API
To grab the `clientId` and `clientSecret` for the request below, use the following links:
- For `user.githubUserToken` -> `Gitter Public Repo Access`:
- For `user.githubToken` -> `Gitter Private Repo Access`:
Then fire off the request to delete the GitHub token:
Basic authentication
Username: <clientId>
Password: <clientSecret>
Accept: application/
Content-Type: application/json
"access_token": "xxxtokentorevoke"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment