Use with questions about token (either access or refresh) revocation, a process of notifying the authorization server issuing a token that it should no longer be used.
Usage guidance
Use for questions on the security procedure of revoking tokens.
Always use with the main tag: oauth-2.0
About
Token revocation is a procedure defined by RFC 7009 for revoking access or refresh tokens obtained via the OAuth 2.0 authorization mechanism. Tokens are revoked via a POST request to a special secure endpoint URL. According to the standard, the procedure is as follows:
- The client sends an
application/x-www-form-urlencodedpayload in an authenticated request to the endpoint with fields:
| Key | Meaning | Required? | Allowed values |
|---|---|---|---|
token |
the token to be revoked | yes | - |
token_type_hint |
type of the token to be revoked | no | access_token, refresh_token |
The server validates request credentials and that the
tokenwas ever issued.If both checks in step 2 pass, the server invalidates the token, else the request is refused. In both cases, an HTTP 200 response is sent.
In the case of an unsupported token type, the server sends an HTTP 400 response structured as defined in RFC 6749. A revocation-specific error code
unsupported_token_typeis included in the response.In case of server error, an HTTP 503 response is sent, and the client is free to retry the request immediately or after a specified amount of time if an optional
Retry-Afterheader is present.
