Share link revocation

Every Client Live View share link can be revoked instantly from the project dashboard. Once revoked, the JWT is invalidated server-side; every open browser tab stops updating within the next poll cycle and shows a LINK REVOKED state.

app.migrationfox.com/projects/finance/shares

app.migrationfox.com/share/sh_9f4c2a1b

created by m.patel · 2026-04-16 11:02 · expires in 28 days

ACTIVE

app.migrationfox.com/share/sh_7d21e840

created by m.patel · 2026-04-14 09:42 · revoked 2026-04-15 17:08

REVOKED

app.migrationfox.com/share/sh_2b1f930c

created by m.patel · 2026-03-12 15:22 · auto-expired after 30 days

EXPIRED

How to revoke

Open the project in MigrationFox.
Navigate to Project · Share links.
Find the link in the list. Each row shows the URL, the creator, the creation time, and the expiry.
Click Revoke. A confirmation appears; click Confirm to proceed.
The link status flips to REVOKED. The next time any browser viewing the link polls the status endpoint (within 5 seconds on the default poll), it receives a 410 GONE and switches to the revoked view.

What the viewer sees

A revoked link renders a full-page message in place of the live-view dashboard:

This share link has been revoked. If you were expecting to see migration progress, contact the migration lead to request a new link.

Subsequent API calls from the revoked JWT fail immediately with HTTP 401. The viewer cannot re-open the link by refreshing.

Why you might revoke

Migration is complete. Live view is no longer needed. Revoke to close the window.
Link was shared to the wrong person. Revoke immediately; create a new one for the correct recipient.
Client relationship ended. Revoke all client-facing links when handing off the tenant.
Security review requires it. Some tenants revoke every external-facing link on a scheduled cadence.

Revocation scope

Revocation is per-link, not per-project. If you issued three different share links for the same project (to three stakeholders), revoking one does not affect the other two. To revoke all project share links at once, use the Revoke all action at the top of the shares panel.

Revoking via API

POST /api/shares/sh_9f4c2a1b/revoke
Authorization: Bearer <personal-access-token>

{
  "reason": "migration complete"
}

Response:

{
  "id": "sh_9f4c2a1b",
  "status": "revoked",
  "revoked_at": "2026-04-18T14:02:11Z",
  "revoked_by": "m.patel@agency.com",
  "reason": "migration complete"
}

Default expiry

Every share link is JWT-signed with a 30-day expiry by default. You can change the expiry on creation (range: 1 hour to 90 days). The expiry is enforced server-side by the JWT exp claim — an expired link behaves the same way as a revoked link from the viewer’s perspective.

TIP

For tight-control scenarios, issue the link with a short expiry (e.g., 24 hours for a single cutover window) instead of relying on manual revocation. The JWT handles the expiry automatically.

Audit log

Every revocation is written to the project audit log with timestamp, actor, link ID, and reason. Audit entries are exportable as CSV from the project audit panel and are retained for the life of the project.

Client Live View — the branded share page
Rollback preview — the seven-day reversible window