How to Revoke an Access Token or Refresh Token

When a client application is finished processing or it suspects a security violation it is good practice to revoke the tokens it is using. The access_token and refresh_token are revoked by calling the revoke_endpoint specified in the OpenId Connect Discovery document with the following configuation for the request:

  • The request method is POST.
  • The request body is x-www-form-urlencoded consisting of:
    • token= followed by the token to be revoked
    • An optional token_type_hint giving the type of the token to be revoked (access_token or refresh_token). If the hint is not given the revoke API will try both types of tokens before returning.
  • An HTTP Authorization header formatted in the HTTP Basic Auth format with the client_id and client_secret serving as the userid and password.

The curl command to revoke a token is as follows:

curl -X POST --basic -u "<client_id>:<client_secret>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "token=<token to be revoked>&token_type_hint=access_token" https://api.byu.edu/revoke