Remote wipe

This document provides a quick overview of the remote wipe API that should be used by clients to implement the remote wipe functionality. This will allow users to wipe a lost device for example.

Note that wiping only works when clients use the login flow so that a dedicated token is set for this client.

Obtaining wipe status

Once a client recieves a 401 or 403 status response it will do a fetch to <server>/index.php/core/wipe/check and set the token parameter to the apptoken.

curl -X POST -d 'token=<TOKEN>'

In case the client gets back a 200 status code and a JSON array with wipe set to true like:


then the client should proceed to wipe the device.

Wiping the actual device

The client must remove all user data linked to the account. This includes:
  • caches

  • offline files

  • the actual account itself

Signalling completion

Once the client has wiped all the required data a POST to <server>/index.php/core/wipe/success has to be made with the token. This signals the server the wipe is completed and triggers the final cleanup on the server side.

curl -X POST -d 'token=<TOKEN>'