Delete a token policy

Deleting token policies is a simple enough affair; all it takes is an API call similar to this:

curl -X DELETE \ \
  -H 'Authorization: Bearer 03v-eeodppPrrHXXIx56pRLyDBaOldDxqEwI59MFCFGVuSkLRapzgmfwmEHyKWle'

And if you’re thinking, “That was too easy; there has to be a catch here,” well, you’re right: there is a catch here. As it turns out, you can’t delete a token policy that’s currently associated with one or more OIDC clients. If you have a token policy currently associated with a client (public, confidential, or configuration) and you try to delete that policy, your API call will fail with an error message similar to the following:

    "errors": "[\"/customers/01000000-0000-3000-9000-000000000000/clients/9b104b1e-ef6c-420a-a9ba-fda43dfecd16\",

That’s a crazy-looking error message, but it’s also a very useful error message: each line is simply the path to a client currently associated with the token policy. In other words, the token policy you just tried to delete is currently associated with the following client IDs:

  • 9b104b1e-ef6c-420a-a9ba-fda43dfecd16
  • 7b65f467-83fc-462e-94e7-79708e79ee18
  • 6667d105-129b-4b75-b7ae-411fa6375b12
  • 07e4b6e4-4a6f-4825-94fe-8a7bc57196c1
  • 587a78e6-61c4-472e-9d4a-ca5334e8331b
  • af4f70a3-0364-4505-94c4-8d26df86e161

To delete the token policy you’ll need to modify each of the preceding clients, replacing the existing token policy with a new policy.


If this seems harsh – you can’t delete a token policy without first removing it from all its associated clients?!? – keep in mind that tokenPolicy is a required property for OIDC clients: if you remove the token policy associated with a client, you’re effectively going to “break” that client.