I'm trying to figure out if I'm using the correct API calls to revoke my apps access to a users Twitter account (so when a user attempts to log in with Twitter again they have to grant my app access instead of not asking to log in)
On my app locally I have a server running where a user has the capability to grant my app access to their Twitter. I am successful at obtaining an access token using
https://api.twitter.com/oauth/request_token
but when it comes to revoking that same access token I've attempted to use
https://api.twitter.com/oauth2/invalidate_token
described here: https://developer.twitter.com/en/docs/basics/authentication/api-reference/invalidate_token
but it seems to use oauth1 to obtain the access_token and oauth2 to invalidate it which seems odd. I'm able to POST but the error I receive is 403 "Unable to verify your credentials"
In the description of invalidate_token call, it mentions invalidating an "OAuth 2 Bearer Token" but obtaining the token I obtained an "OAuth Request Token".
Can one authenticate with OAuth2 to invalidate a token obtained with OAuth1? Or am I missing something?
The server is running PHP and calls are with curl.
