When users logout, you can revoke the access_token and refresh_token which your application received in order to prevent any future use.
If your Realm's access_token_retention_policy is set to no-store
, revoking an access_token is a no-op, and the access_token will be usable until it expires
POST /token_endpoint HTTP/1.1
token=AN_ACCESS_OR_REFRESH_TOKEN_VALUE
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
The revocation_endpoint
will only return errors if
- The Realm used does not exist
- The client_id does not exist
- The client_secret does not match for the client_id.
For all other scenarios a 200 Ok will be returned, even in case the client_id provided does not own the token passed