Irreversible action: Revoking an access token permanently invalidates it. The associated user's automated workflows will stop functioning immediately. All stored credentials for this token must be deleted from BizFirst Credentials Manager after successful revocation.
When to Use
- User-initiated disconnection: When a user explicitly requests to disconnect their Instagram account from your platform, revoke the token immediately and delete all stored credential references.
- Account offboarding: When a tenant or client account is closed, revoke all associated Instagram tokens as part of the offboarding workflow to prevent orphaned active tokens.
- Security incident response: If you suspect a credential has been compromised, revoke the token immediately to cut off API access, then notify the account owner to re-authenticate.
- GDPR right-to-erasure: When processing a data deletion request, revoke all associated tokens as part of the complete data removal workflow to close all active API authorisations.
- Periodic credential hygiene: Revoke tokens for inactive accounts that have not performed any Instagram API operations for a defined period (e.g. 90+ days of inactivity).
Configuration
Operation
| Field | Required | Description |
resource | Required | Must be auth. |
operation | Required | Must be revoke-token. |
accessToken | Required | The long-lived access token to revoke. Retrieve from BizFirst Credentials Manager. This token will be permanently invalidated. |
Delete from Credentials Manager: After successful revocation, the next node in your workflow must delete the stored credential from BizFirst Credentials Manager. Leaving an invalidated token stored is a data hygiene problem and will cause all subsequent workflows using that credential to fail with authentication errors.
Sample Configuration JSON
{
"resource": "auth",
"operation": "revoke-token",
"accessToken": "{{ $credential.instagram.accessToken }}"
}
Validation Errors
| Error | Cause |
accessToken is required | accessToken field is missing or empty. |
| Graph API error 190 | Token is already expired or was previously revoked. |
| Graph API error 200 | Token does not have the permissions required for revocation. |
Output
Success Port
| Field | Type | Description |
status | string | "success" |
id | string | Instagram user ID associated with the revoked token. |
username | string | Instagram username of the account that was disconnected. |
accountType | string | Account type — "BUSINESS", "MEDIA_CREATOR", or "PERSONAL". |
payload | string | Raw JSON response from the Graph API confirming identity before revocation. |
Error Port
| Field | Type | Description |
status | string | "error" |
errorCode | string | Graph API error code. |
errorMessage | string | Error description. |
payload | string | Raw error response. |
Sample Output JSON
{
"status": "success",
"id": "17841400000000000",
"username": "yourbrand",
"accountType": "BUSINESS",
"payload": "{\"id\":\"17841400000000000\",\"username\":\"yourbrand\",\"account_type\":\"BUSINESS\"}"
}
Expression Reference
| Expression | Value |
{{ $output.instagram.id }} | Instagram user ID of the disconnected account |
{{ $output.instagram.username }} | Username of the disconnected account |
{{ $output.instagram.accountType }} | Account type string |
Node Policies & GuardRails
- Always delete stored credentials: Immediately after successful revocation, delete the credential entry from BizFirst Credentials Manager. The token output fields can be used to identify which credential record to delete by matching the Instagram user ID.
- Audit trail required: Log the revocation event — including the Instagram user ID, username, revocation timestamp, and the workflow or user that triggered it — to your audit log before deleting credentials. This supports compliance requirements and dispute resolution.
- Stop downstream workflows: Before revoking, disable or pause any scheduled workflows that reference this Instagram credential to prevent them from running against a revoked token and generating false alert notifications.
- Error 190 handling: If revocation fails with error 190 (token already expired/revoked), treat the result as a successful disconnect — the token is already inactive. Still delete the stored credential from Credentials Manager.
- Notify the user: After successful revocation, send a notification to the account owner confirming that their Instagram account has been disconnected from the platform.
Examples
User-initiated account disconnection
{
"resource": "auth",
"operation": "revoke-token",
"accessToken": "{{ $credential.instagram.accessToken }}"
}
// On success:
// 1. Delete credential from BizFirst Credentials Manager
// 2. Disable all scheduled workflows for this user's Instagram account
// 3. Log revocation audit event with id + username
// 4. Send disconnection confirmation email to user
Offboarding workflow — revoke all tenant tokens
// Iterating over all Instagram credentials for the offboarded tenant
{
"resource": "auth",
"operation": "revoke-token",
"accessToken": "{{ $loop.current.accessToken }}"
}
// On success or error 190: delete credential record
// Continue loop regardless of revocation error to ensure all records are cleaned up
Part of a tenant offboarding workflow that iterates over all connected social accounts. Uses the output username to populate the offboarding audit report before deleting credentials.
GDPR erasure — credential revocation step
{
"resource": "auth",
"operation": "revoke-token",
"accessToken": "{{ $db.users.where(userId=$input.userId).instagramAccessToken }}"
}
// On success: mark erasure step 'instagram_token_revoked' = true in erasure request record
// Subsequent node deletes all stored Instagram data (posts, comments, media metadata) for this user