See openid-connect Menu

Revoke a Token


Use this API to revoke and access_token or refresh_token.

The authentication requirements for this request are dependent on the Token Endpoint Authentication Method that is defined on an OpenId Connect application.

  • Basic - Client ID and Client Secret are required in the Authorization header.
  • POST - Client ID and Client Secret are required in the request body.
  • None (PKCE) - Client ID is required in the request body. Do not include Client Secret.
Sending credentials in both Authorization header and payload body will cause an error.



Resource URL

https://<subdomain>.onelogin.com/oidc/2/token/revocation

Header Parameter

Authorization

string

Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

token

required

string

The access_token or refresh_token that will be revoked.

When an access_token is supplied only that token will be invalidated.

When a refresh_token then all of the related tokens will be invalidated.

token_type_hint

string

Set to access_token or refresh_token based on the type of token that is being revoked.

client_id

string

The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST or none (PKCE).

client_secret

string

The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

Sample Request Body

token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token

Sample Response

The token may already have been revoked

{
    "error": "unsupported_token_type",
    "error_description": "revocation of the presented token type is not supported"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/2/token/revocation" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.