Token Revocation

Check the RFC7009 for a detailed description. According to RFC 7009, a client should revoke the refresh token when no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual refresh token and, if applicable, other refresh tokens based on the same authorization grant. It is not possible to revoke an access token. After a refresh token has been revoked, the client may not continue to use the access token, even if it is still valid. The access token automatically loses its validity after one hour at the latest.

Revoke a Refresh Token

The client builds the request by including the following parameters using the “application/x-www-form-urlencoded” format in a HTTP request entity-body:


Supported attributes:

Attribute Type Required Description
Authorization HTTP Header Yes Basic {{base_64_encoded_client_id}}
Content-Type HTTP Header Yes application/x-www-form-urlencoded
token string Yes The refresh token to be revoked

If successful, returns HTTP status code without any content.

Example Request

curl -L -X POST "" \
     --header "Authorization: Basic bm9Y...hhcg==" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "token=O1dtH4rqejCzPS2uRYnt"

Example Response

// no content