What you see
Each row is a single access token issued through the OAuth authorization-code flow. Columns:- Application — the human-readable name of the client (e.g. Claude (Anthropic)) and its
client_idunderneath. - Owner — the email of the staff member who approved the connection. This is the person whose access the token acts as.
- Scopes — the AGO permissions the owner granted to this client (e.g.
knowledge:read). These reflect what the owner selected on the consent screen, which may differ from what the client originally requested. - Created — when the token was issued.
- Expires — access tokens expire after 1 hour. Claude Web refreshes them automatically using a 30-day refresh token; the row may rotate frequently.
Revoke a token
Click Revoke next to the token, then confirm. The token is invalidated immediately and the next API call from that client returns 401. The user will need to reconnect from their MCP client to regain access.What revoking doesn’t do
- It does not sign the user out of AGO.
- Active server-sent-event (SSE) streams already in flight may continue until the client reconnects (cap: a few minutes). Non-SSE requests fail immediately.
- Revoke is per-token, not per-client. If a single user has multiple tokens (e.g. tested across browsers), revoke each one.
When to revoke
- A user leaves the company → revoke their tokens to prevent stale access.
- A laptop is lost → revoke all tokens issued to that user.
- A scope was granted by mistake → revoke and have the user reconnect with the correct scopes.
