Revoke

Description Method for revoking OAuth2 refresh tokens and/or access tokens.
Path oauth/revoke
Since (API version) 3.0

This endpoint can be used to revoke tokens. A revocation of an access token will only revoke the specified access token. A revocation of a refresh token will not only revoke the specified refresh token, but also belonging access token(s). If a token has been revoked, it means that it can no longer be used, and that it has been deleted from the database.

To be able to access this endpoint he client must authenticate himself.

Sending a POST request to the oauth/revoke endpoint will return HTTP status code 200 OK and an empty JSON body if the token(s) was successfully revoked, or if the token(s) did not exist.

Example request: 

POST /https/api/rest/v3.0/oauth/revoke
	    
{
   token="d3ba6ef1fb0c5c95cecea61c23ca2c94c0461ccd"
   token_type_hint="Access_Token"
   client_id="MyClient"
   client_secret="abcd1234"
}

Successful response: 

{ }

All attributes that could be included in the request are explained in the table below.

Property Description
token REQUIRED. Value of the token to revoke.
token_type_hint OPTIONAL. The value could be either "Access_Token" or "Refresh_Token". If this property is included, the revocation will be more effective. Otherwise a database operation has to be performed to determine the token type. If this property is included it will be trusted, no additional checks will be performed to verify the token type.
client_id Client id used for authentication. If no Basic Authorization header or Client Certificate is sent in the request, this attribute is REQUIRED, otherwise IGNORED.
client_secret Client secret used for authentication. If no Basic Authorization header or Client Certificate is sent in the request, this attribute is REQUIRED, otherwise IGNORED.

Error responses

If there is a problem with for example the database, a server error can be returned. 

{

    "error": "SERVER_ERROR",
    "errorDescription": "Error when trying to revoke"

}

If the token property is omitted, no revocation can be performed. 

{

    "error": "INVALID_REQUEST",
    "errorDescription": "Required parameter 'token' is null"

}

RFC

The revoke endpoint is according to the RFC 7009 standard, "OAuth 2.0 Token Revocation". For more details see: https://tools.ietf.org/html/rfc7009

Copyright © 1999-2023, Technology Nexus. All rights reserved.