Revoke a Token

Endpoint URL: /{customerId}/login/token/revoke


Revokes previously-issued access tokens or refresh tokens. After an access token has been revoked, it can no longer be used to gain access to a protected resource. After a refresh token has been revoked, it can no longer be used to request a new access token. 

Note that the client attempting to revoke a token must be the same client that originally issued the token,.

Respects the API Client Allow List: No

Request Parameters

Note that request parameters must be configured as x-www-form-urlencoded parameters.








Access token or refresh token that you want to revoke.




Should be used only if the OIDC client is a public client; for confidential clients, use Basic authentication instead. Either way, the client trying to revoke the token must be same client that issued the token: OIDC client A can't revoke a token that was issued by OIDC client B.


The authentication method employed when revoking a token depends on the type of OIDC client you're using:

  • If you're using a confidential client, use Basic authentication, setting the client ID as the username and the client secret as the password.
  • If you're using a public client, pass the client ID as the parameter value for the client_id parameter.

Sample Request for a Confidential Client (curl)

The following command revokes the access token 03v-cgrdpp69hHXXIx56pRLyD98kldDxqEwI59MFCFGVuSkLmmkzgmfwm324Wli:

curl -X POST \ \
  -H 'Authorization: Basic RcaWTi0woO52rqZjlbApm2lL3Aokzd1bhCZZajX51aX4IQrH1Uj1D4ks9HfJtxoRI7HCsyNVoc6Qj4oBfuplftc7tMbR26eZHwtEqaw9RLMBeIJDvqvqyD4l' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'token=03v-cgrdpp69hHXXIx56pRLyD98kldDxqEwI59MFCFGVuSkLmmkzgmfwm324Wli'

Sample Request for a Public Client (curl)

The following command revokes the access token 2dbk62MffhrYsSt0MYKYiRw29dEXI4dBfvsLXb6yVeMHppjgfeZ8S5acqzGLVfnO:

curl -X POST \ \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'token=2dbk62MffhrYsSt0MYKYiRw29dEXI4dBfvsLXb6yVeMHppjgfeZ8S5acqzGLVfnO' \
  --data-urlencode 'client_id=70a45721-c6ef-4d7c-91ff-f14e9346b8b6'


200 OK

If your call to this endpoint succeeds, you'll get back the following response:

The token was revoked successfully or the token was invalid.

Note that the return value only indicates that the token is no longer valid; no other information about the token is returned. This is a security measure that prevents malefactors from using old tokens to query the revocation endpoint for information about how tokens are constructed.