See api-docs Menu

Revoke Token

Revoke an access token and refresh token pair.

Warning: Revoking an access token means that the access token and its associated refresh token will no longer work.

Resource URL

https://<subdomain>/auth/
oauth2/revoke

Header Parameters

Authorization

required

string

Set to client_id:<client_id>, client_secret:<client_secret>.

The client ID and client secret must be the ones used to generate the access token that you want to revoke.

For details about getting a client ID and client secret, see API Credentials.

Content-Type

required

string

Set to application/json.

Request Parameters

access_token

required

string

Set to the access token you want to revoke.

This access token must have been generated using the client_id and client_secret provided in the Authorization header.

Sample Request Body

{
   "access_token": "xx508xx63817x752xx74004x30705xx92x58349x5x78f5xx34x8x614xxxx1451"
}

Sample Response

{
    "status": {
        "error": false,
        "code": 200,
        "type": "success",
        "message": "Success"
    }
}

Here are a few different errors that will return a 400 Bad Request status code.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Content Type is not specified or specified incorrectly.
                    Content-Type header must be set to application/json"
    }
}

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "Access Token Missing"
    }
}

Typically, the following error means that your Authorization header value is missing or incorrectly formatted. The Authorization header format must be: client_id:<client_id>, client_secret:<client_secret>.

{
    "status": {
        "error": true,
        "code": 400,
        "type": "bad request",
        "message": "The authorization information is missing"
    }
}

Typically, this error means that your client_id and/or client_secret values are invalid.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Authentication Failure"
    }
}

Typically, this error means that you are using the incorrect method. If you receive this error, ensure that you are making a POST.

{
    "status": {
        "error": true,
        "code": 404,
        "type": "not found",
        "message": "No Route Exists"
    }
}

Postman Collection

Replace sample variables indicated by < > in the sample request body with your actual values. Also, be sure to set Postman-specific environment variables indicated by {{ }}.

Download for the OAuth 2.0 Tokens API

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://<subdomain>/auth/oauth2/revoke' \
-X POST \
-H "Authorization: client_id:<client_id>, client_secret:<client_secret>" \
-H "Content-Type: application/json" \
-d '{
    "access_token":"<access token>"
}'

Python

See Work with OAuth 2.0 Tokens, Users, and Roles.


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.