See api-docs Menu
  1. Home >
  2. API >
  3. 1 >
  4. OAuth 2.0 Tokens >
  5. Revoke Token

Revoke Token

Revoke an access token and refresh token pair.

Warning: Revoking an access token means that the access token and its associated refresh token will no longer work.

Resource URL

Before calling this API, consider using its version /2 equivalent.

https://<subdomain>/auth/
oauth2/revoke

Header Parameters

Authorization

required

string

Set to client_id:<client_id>, client_secret:<client_secret>.

The client ID and client secret must be the ones used to generate the access token that you want to revoke.

For details about getting a client ID and client secret, see API Credentials.

Content-Type

required

string

 Set to application/json.

Request Parameters

access_token

required

string

Set to the access token you want to revoke.

This access token must have been generated using the client_id and client_secret provided in the Authorization header.

Sample Request Body

{
   "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34x8x614xxxx1451"
}

Sample Response

  • 200 OK
  • 400 Bad Request
  • 401 Unauthorized
  • 404 Not Found
{
    "status": {
        "error": false,
        "code": 200,
        "type": "success",
        "message": "Success"
    }
}

Here are a few different errors that will return a 400 Bad Request status code.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly.
                    Content-Type header must be set to application/json"
    }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Access Token Missing"
    }
}

Typically, the following error means that your Authorization header value is missing or incorrectly formatted. The Authorization header format must be: client_id:<client_id>, client_secret:<client_secret>.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "The authorization information is missing"
    }
}

Typically, this error means that your client_id and/or client_secret values are invalid.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Authentication Failure"
    }
}

Typically, this error means that you are using the incorrect method. If you receive this error, ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
    }
}

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://<subdomain>/auth/oauth2/revoke' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{
    "access_token":"<access token>"
}'

Python

See Work with OAuth 2.0 Tokens, Users, and Roles.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.