See openid-connect Menu
  1. Home >
  2. OpenId Connect >
  3. API Reference - Latest >
  4. Revoke a Token

Revoke a Token

Use this API to revoke and access_token or refresh_token.

The authentication requirements for this request are dependent on the Token Endpoint Authentication Method that is defined on an OpenId Connect application.

  • Basic - Client ID and Client Secret are required in the Authorization header.
  • POST - Client ID and Client Secret are required in the request body.
  • None (PKCE) - Client ID is required in the request body. Do not include Client Secret.
Sending credentials in both Authorization header and payload body will cause an error.



Resource URL

https://<subdomain>.onelogin.com/oidc/2/token/revocation

Header Parameter

Authorization

string

Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be 

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

token

required

string

The access_token or refresh_token that will be revoked.

When an access_token is supplied only that token will be invalidated.

When a refresh_token then all of the related tokens will be invalidated.

token_type_hint

string

Set to access_token or refresh_token based on the type of token that is being revoked.

client_id

string

The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST or none (PKCE).

client_secret

string

The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

Sample Request Body

token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token

Sample Response

  • 200 OK
  • 400 Bad Request
  • 401 Unauthorized

The token may already have been revoked

{
    "error": "unsupported_token_type",
    "error_description": "revocation of the presented token type is not supported"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token/revocation" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.