Token revocation

When users logout, you can revoke the access_token and refresh_token which your application received in order to prevent any future use.

If your Realm's access_token_retention_policy is set to no-store, revoking an access_token is a no-op, and the access_token will be usable until it expires

POST /token_endpoint HTTP/1.1
Host: oauth.server
Content-Type: application/x-www-form-urlencoded
token=AN_ACCESS_OR_REFRESH_TOKEN_VALUE
 &client_id=YOUR_CLIENT_ID
 &client_secret=YOUR_CLIENT_SECRET

The revocation_endpoint will only return errors if

The Realm used does not exist
The client_id does not exist
The client_secret does not match for the client_id.

For all other scenarios a 200 Ok will be returned, even in case the client_id provided does not own the token passed

HTTP/1.1 200 Ok

Products

Authentication Multifactor Authentication Branding Application Management API Management

Documentation

Fundamentals Guides Develop Object Reference Class Reference

Revocation Request

Revocation Response

Products

Documentation