Memory Scope
Memory Scope
Sign InGet Started

Revoking Access

Learn how to implement revocation functionality so users can control access to their data. This is essential for privacy compliance and user trust.

Overview

Every read operation returns a revocation token. This token represents a "grant" of access to the data that was read. Users can use this token to immediately revoke access, ensuring they have complete control over their data.

When access is revoked:

  • Subsequent read operations for the same scope and domain return empty results
  • The revocation takes effect immediately (no delay or grace period)
  • The revocation is logged in the audit trail for compliance
  • New memories can still be created and read normally

Basic Implementation

Basic Implementation
from memory_scope import MemoryScopeClient client = MemoryScopeClient(api_key="your-api-key") # Step 1: Read memories and get revocation token result = client.read_memory( user_id="user123", scope="preferences", domain="food", purpose="generate food recommendations" ) # Step 2: Store the revocation token (associate with user session) revocation_token = result.revocation_token # Store this in your database or session storage, associated with user_id # Step 3: When user wants to revoke access client.revoke_memory(revocation_token=revocation_token) # Step 4: Subsequent reads return empty results result = client.read_memory( user_id="user123", scope="preferences", domain="food", purpose="generate food recommendations" ) print(result.summary_struct) # {} - Empty because access was revoked
Storing Revocation Tokens

You need to store revocation tokens securely and associate them with user sessions so users can revoke their own data. Here are some approaches:

Database Storage

Database Storage
# Store in database with user_id revocation_tokens = { "user_id": "user123", "tokens": [ { "revocation_token": "rev_xyz789...", "scope": "preferences", "domain": "food", "created_at": "2026-01-27T10:15:23Z", "expires_at": "2026-01-28T10:15:24Z" } ] } # When user wants to revoke, find their tokens and revoke them for token_info in revocation_tokens["tokens"]: client.revoke_memory(revocation_token=token_info["revocation_token"])

Session Storage

Session Storage
# Store in user session (e.g., Flask session, Django session) session['revocation_tokens'] = session.get('revocation_tokens', []) session['revocation_tokens'].append({ 'revocation_token': result.revocation_token, 'scope': 'preferences', 'domain': 'food' }) session.modified = True

User Interface Implementation

Provide users with a way to revoke access through your application UI. Here's an example of how to implement a "Revoke Access" button:

UI Implementation
# Backend endpoint to handle revocation @app.route('/api/revoke-access', methods=['POST']) def revoke_access(): user_id = get_current_user_id() # Get from session/auth # Get all revocation tokens for this user tokens = get_user_revocation_tokens(user_id) # Revoke all tokens for token in tokens: client.revoke_memory(revocation_token=token['revocation_token']) # Clear tokens from storage clear_user_revocation_tokens(user_id) return {"success": True, "message": "Access revoked successfully"}
Handling Revoked State

When data has been revoked, subsequent read operations will return empty results. You should handle this gracefully in your application:

Handling Revoked State
result = client.read_memory( user_id="user123", scope="preferences", domain="food", purpose="generate food recommendations" ) # Check if data is available if not result.summary_struct or len(result.summary_struct) == 0: # Data has been revoked or doesn't exist # Show appropriate message to user print("No preferences available. Please provide your preferences.") # Or use default values preferences = {"likes": [], "dislikes": []} else: preferences = result.summary_struct
Bulk Revocation

When a user requests data deletion (GDPR right to be forgotten), you may need to revoke all tokens for that user:

Bulk Revocation
def revoke_all_user_access(user_id: str): """Revoke all access for a user (e.g., for GDPR deletion request)""" tokens = get_all_revocation_tokens_for_user(user_id) for token in tokens: try: client.revoke_memory(revocation_token=token['revocation_token']) except Exception as e: # Log error but continue with other tokens print(f"Error revoking token {token['revocation_token']}: {e}") # Clear all tokens from storage clear_all_tokens_for_user(user_id) return {"revoked_count": len(tokens)}
Token Expiration

Revocation tokens have an expiration time (typically 24 hours). After expiration, the token can no longer be used to revoke access, but the grant itself may still be active depending on your application's logic.

Token Expiration Check
# Check if token is expired before attempting revocation from datetime import datetime token_info = get_token_info(revocation_token) if datetime.utcnow() > token_info['expires_at']: print("Token has expired. Access may have already expired.") else: # Token is still valid, can revoke client.revoke_memory(revocation_token=revocation_token)
Best Practices
  • Store Securely: Revocation tokens should be stored securely and associated with user sessions so users can revoke their own data.
  • Provide UI: Always provide users with a way to revoke access through your application interface (e.g., "Delete my data" or "Revoke access" button).
  • Handle Gracefully: When data is revoked, handle the empty results gracefully - show appropriate messages to users rather than errors.
  • Respect User Choice: Once a user revokes access, respect their decision and don't attempt to re-read the data or create new read grants without explicit user consent.
  • Compliance: Revocation is essential for GDPR compliance. Ensure your application supports user data deletion requests.
  • Audit Trail: All revocations are logged. Review audit logs periodically to ensure compliance.
  • Bulk Operations: Support bulk revocation for GDPR deletion requests where users want to delete all their data.
  • Error Handling: Handle cases where tokens are already revoked or expired gracefully.
Next Steps
Revocation Tokens Concept →API Reference →Best Practices →