Revoke access token

POST /token-srv/revoke

Token Revocation (RFC 7009)

This API revokes an OAuth 2.0 token, making it invalid for further use. It is especially useful for revoking client_credentials tokens or when you need to revoke tokens programmatically.

Security:

Basic Authentication (Recommended): Provide client_id and client_secret via Basic Authentication header: Basic <base64(client_id:client_secret)>
Alternative: You can provide client_id and client_secret in the request body instead of using Basic Authentication
The client credentials must match the client that issued the token

Token Types:

access_token - Access token (default if not specified)
refresh_token - Refresh token
id_token - ID token

Response:

Returns HTTP 200 with an empty response body if the token is successfully revoked (as per RFC 7009)
Returns HTTP 200 even if the token was already revoked or doesn't exist (RFC 7009 requires this behavior to prevent token enumeration)
Returns non-200 status codes only for invalid requests (missing token, invalid authentication, etc.)

Note: For user logout scenarios, use the end_session API instead, which handles session cleanup and redirects.

Request

Responses

Token revoked successfully (or token was already revoked/doesn't exist)

As per RFC 7009, the response body is empty. The endpoint returns HTTP 200 even if the token was already revoked or doesn't exist to prevent token enumeration attacks. Only invalid requests (missing token, authentication failures, etc.) return non-200 status codes.

Revoke access token

/token-srv/revoke

Request​

Responses​

Request

Responses