Revoke token flow
2 minute read
In some cases a user might wish to revoke access given to an application. An access token can be revoked by calling the API Gateway revoke service and providing the access token to be revoked.
The endpoint for revoke token requests is as follows:
The token to be revoked should be sent to the revoke token endpoint in an HTTP
with the following parameters:
||Required. A token to be revoked (for example,
||Optional. A hint specifying the token type. For example,
The following is an example POST request:
POST /api/oauth/revoke HTTP/1.1 Content-Type:application/x-www-form-urlencoded; charset=UTF-8 Host:192.168.0.48:8080 Authorization:Basic U2FtcGxlQ29uZmlkZW50aWFsQXBwOjY4MDhkNGI2LWVmMDktNGIwZC04ZjI4LT NiMDVkYTljNDhlYw==token=4eclEUX1N6oVIOoZBbaDTI977SV3T9KqJ3ayOvs4gqhGA4 &token_type_hint=refresh_token
Run the sample client
The following Jython sample client creates a token revoke request to the authorization server:
To run the sample, open a shell prompt at
INSTALL_DIR/samples/scripts, and execute the following command:
Paste the value associated with the token in the dialog:
Select the type of token hint in the next dialog:
If you select
token_type_hint parameter is specified in the POST request. If you select
access_token, the POST request contains
token_type_hint=access_token. If you select
refresh_token, the POST request contains
When the authorization server receives the token revocation request, it first validates the client credentials and verifies whether the client is authorized to revoke the particular token based on the client identity.
NoteOnly the client that was issued the token can revoke it.
The authorization server decides whether the token is an access token or a refresh token:
- If it is an access token, this token is revoked.
- If it is a refresh token, all access tokens issued for the refresh token are invalidated, and the refresh token is revoked.
The following HTTP status response codes are returned:
- HTTP 200 if the token was revoked successfully or if an invalid token was submitted.
- HTTP 401 if client authentication failed.
- HTTP 403 if the client is not authorized to revoke the token.
The following is an example response:
Token to be revoked:3eXnUZzkODNGb9D94Qk5XhiV4W4gu9muZ56VAYoZiot4WNhIZ72D3 Revoking token............... Response from revoke token request is:200 Successfully revoked token
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.