Token Revocation
The token revocation endpoint is used to revoke tokens. This is useful when a client deems a token useless before it expires. The endpoint supports revoking access tokens and refresh tokens.
| Name | Description |
|---|---|
| Token Revocation | Specification for revoking tokens |
The token revocation endpoint accepts the POST HTTP method, and the content is application/x-www-form-urlencoded.
The endpoint also requires client authentication, and the parameters are defined in the Client Authentication page.
The endpoint requires client authentication by confidential clients.
The token revocation endpoint returns HTTP 200 with no content if successful, and 400 if an error occurred.
If the token is already revoked, expired or does not exist, then the operation is considered successful.
The following table shows the parameters that can be sent to the endpoint.
| Name | Description |
|---|---|
| token | The token to be revoked. It is required. |
| token_type_hint | The type of token to be revoked. It is optional. |
The following HTTP example shows a request to revoke an access token.
POST /connect/revoke HTTP/1.1
Host: idp.authserver.dk
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=2YotnFZFEjr1zCsicMWpAA
The following HTTP example shows the response.
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store