How to delete AccessToken /



Hi there,
I set up Account linking with Amazon and it works all fine, but:

  • When I activate the skill I am able to get user’s name and email, and of course the access token
  • The code stores the name and email address in the user DB
  • Then I deactivate the skill some moments after which unlinks the account.
  • If I activate the skill again some moments later the AccessToken still seems to be valid. I get a new UserId (amzn1.ask.account.AGJXN2R…), but the code is still able to get name and email address even the account is not linked yet. which means probably the AccessToken is still valid.

This is a problem (German Privacy Law…), as we are talking here about permissions the user gave to send him emails. Even I am in a testing mode a user could also deactivate and activate a Skill in a very short time period.

Also, this.$user.delete(); does not delete the entry in the DB. But this would not solve this issue anyways. Tested it by deleting the entry manually.

Is there a way to delete an AccessToken (i am using AlexaSkillEvent.SkillDisabled)?
How long is an AccessToken valid?

Thanks, Jan

UPDATE: It seems I found a solution. In the event “AlexaSkillEvent.SkillEnabled” I set the AccessToken to false;


Means, when I user enables a skill a maybe existing AccessToken will be invalid and getAccessToken() returns false. Now it works, but not 100% guaranteed as I just testet it 3-4 times.
So the answers would be still of interest if there is a better solution and if some one knows about the expiration time of a Token let me know please.

Huge problem with Jovo AccessToken


After disabling a skill with account linking and reinvoking I don’t get an access token in my requests. Tested with Spotify account linking

I don’t think there’s an explicit access token revoking on AlexaSkillEvent.SkillDisabled. It’s probably still valid until it expires after a time. Depending on the OAuth2.0 implementation/settings.


Thanks Alex,
so i DO get still a valid AccessToken after disabling the skill. This could be a huge problem as we could get sued in Germany if we send out (advertising) emails without the users explicit permission.
But as I wrote, it seems that this.$request.setAccessToken(false); seems to do what I need when I enable a skill.