Authentication (OAuth)API ReferenceToken Revocation Endpoint

Token Revocation Endpoint

POST/openapi/v1/oauth/revoke

Revokes an access token. Per RFC 7009 §2.2, this endpoint always returns `200 OK` — including when the token is already expired or unknown.

Access token revocation: The token is immediately invalidated.


Request Parameters

application/x-www-form-urlencoded
tokenRequiredstring
The access token or refresh token to revoke.
client_idOptionalstring
Required for all recognized tokens. Must match the token's owner. `confidential` clients must also provide `client_secret`.
client_secretOptionalstring(password)
Required only for `confidential` clients (in addition to `client_id`).

Request Example

"token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...&client_id=SGCLxQk2mN8pR4vW1yH3jT5bZ6aE7cF0&client_secret=Kj3mN8pR4vW1xZ6bY2qT5hE9gA0cF7dLsUr4Qz8P"

Response Parameters


Error Codes

HTTP StatusError CodeDescription
400invalid_request`token` parameter is missing.
401invalid_clientclient_secret not provided for confidential client
401invalid_clientClient authentication failed