OAuth 2.0 token revocation endpoint

1. Revoking obtained access and refresh tokens

Clients can notify the Connect2id server that a previously obtained refresh or access token is no longer needed. This is done by making a request to the token revocation endpoint, as specified in RFC 7009. The server will invalidate the specified token and, if applicable, other tokens based on the same authorisation grant.

2. The token revocation endpoint URL

The token revocation endpoint URL can be obtained from the server discovery endpoint:


3. Clients must authenticate

Clients must authenticate to the server with their client_id and client_secret credentials obtained at registration in order to make a token revocation request.

Client secret basic is the default authentication method.

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

4. Web API overview

Representations Errors

4. Resources

4.1 /token

4.1.1 POST

Revokes an obtained refresh or access token.

Header parameters:

  • [ Authorization ] The client authentication credentials, encoded using the registered method, such as HTTP basic authentication.

  • Content-Type Must be set to application/x-www-form-urlencoded.

Body with form parameters:

  • token The token that the client wants to get revoked.

  • [ token_type_hint ] Optional hint about the type of the submitted token; if omitted the server will use heuristics to determine the token type:

    • access_token -- the token is an access token

    • refresh_token -- the token is a refresh token


  • Code: 200


Example token revocation request hinting its type:

POST /token/revoke HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW


Example token revocation request; the server will be let to determine the token type:

POST /token/revoke HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW


The server will return a 200 status regardless of whether the submitted token was valid or not (required by the specification):

HTTP/1.1 200 OK

5. Errors

400 Bad Request

Invalid or malformed request.


HTTP/1.1 400 Bad Request

401 Unauthorized

The request was denied due to an invalid or missing client authentication.


HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.


HTTP/1.1 500 Internal Server Error