API Token still works after archiving

Hi everyone!
I have a self-hosted version 4.5.18 running in ubuntu.
I’ve been testing the android app and I’ve noticed that when creating the API Token it works just fine but after archiving it I would expect that token to stop working for the user and it’s not the case. The user can log in and access the app without a problem and the only way to stop the user from accessing the app it’s by archiving the user thus erasing the user. Is there a way to truly delete the API token?

The reason I want the API Token to stop working it’s that I noticed that I can limit the dashboard from the webpage but can’t limit the information on the android app for the user and it shows accounting information like balances and the sum of the invoices, etc, just overall accounting information of the company that I don’t want accessible for the user. To be clear I want the user to have access through the web (because I can limit the dashboard and accounting information) but deny the access through the android app via the API token.

So basically it’s 2 issues, first being the API token not “deactivating” and second how to limit or not show at all the dashboard in the android app for users so that the accounting information is only accessible by administrators.

Any help greatly appreciated!


Agreed, we’ll change the behavior of archived tokens in the next release. Until then you would need to mark the user as deleted to prevent access.

Sorry, it isn’t possible to adjust what’s shown in the Android app other than adjusting the user’s permissions.