How to Revoke an Access Token or Refresh Token
When a client application is finished processing or it suspects a security violation it is good practice to revoke the tokens it is using. The access_token and refresh_token are revoked by calling the revoke_endpoint specified in the OpenId Connect Discovery document with the following configuation for the request:
- The request method is POST.
- The request body is
token=followed by the token to be revoked
- An optional
token_type_hintgiving the type of the token to be revoked (
refresh_token). If the hint is not given the revoke API will try both types of tokens before returning.
- An HTTP Authorization header formatted in the HTTP Basic Auth format with the client_id and client_secret serving as the userid and password.
The curl command to revoke a token is as follows:
curl -X POST --basic -u "<client_id>:<client_secret>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "token=<token to be revoked>&token_type_hint=access_token" https://api.byu.edu/revoke