Removes all existing access grants associated with the selected user. This endpoints removes all access tokens, all refresh tokens, and all refresh secrets that have been issued to the user. Removing the access grants forces the user to re-authenticate should they attempt to exercise any of those grants. 

Note that this endpoint does not remove access grants that may be managed by other services, such as Single Sign-On.

This endpoint requires a client with the ownerdirect_accessaccess_issuer, or login_client feature.

This endpoint uses the following methods:

  • POST



This endpoint supports both Basic authentication (recommended) and janrain-signed authentication.

How to Create an Authentication String

Base URL

The base URL for this endpoint is your Identity Cloud Capture domain; for example:


Your Capture domains (also known as Registration domains) can be found in the Console on the Manage Application page:


This command deletes all the access grants that reference the user UUID 2efede78-fdf7-4e38-9785-4a82de768b9f.

curl -X POST \
  -H "Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg=" \
  --data-urlencode type_name=user \
  --data-urlencode uuid=2efede78-fdf7-4e38-9785-4a82de768b9f \
      Running this command in Postman

Example Response

  "stat": "ok"

Authorized Clients

  • owner 
  • login_client 
  • direct_access 
  • access_issuer

Query Parameters

Parameter Type Required Description
id string Entity ID. Required if you are not using the uuid or key_attributes parameters.
key_attribute string Name of a unique attribute used with schema. Required if you are not using the id or uuid parameters, and must be used in conjunction with the key_value parameter.
key_value string Value for the attribute specified by the key_attribute parameter. String values must be enclosed in quotes.
uuid string Unique identifier for the user record. Required if you are not using the id or key_attribute parameters.