POST /api/oauth/revoke

Revoke an access token or refresh token (RFC 7009).

Endpoint

text

POST /api/oauth/revoke

Content Type

Send application/x-www-form-urlencoded.

Client Authentication

Supported methods:

client_secret_basic
client_secret_post

Required form fields

Field	Description
`token`	The access token or refresh token to revoke.
`client_id`	Required unless sent via HTTP Basic auth.
`client_secret`	Required unless sent via HTTP Basic auth.

Optional form fields

Field	Description
`token_type_hint`	Optional hint: `access_token` or `refresh_token`.

Refresh tokens are detected automatically when the token value starts with rt_.

Success Response

`200 OK`

The endpoint returns an empty body on success, including when the token is unknown, expired, or belongs to another client. This prevents token-enumeration attacks.

Error Responses

`400 Bad Request`

json

{
  "error": "invalid_request"
}

`401 Unauthorized`

json

{
  "error": "invalid_client"
}

`429 Too Many Requests`

json

{
  "error": "invalid_request"
}

`500 Internal Server Error`

json

{
  "error": "internal_server_error"
}

Notes

Only tokens issued to the authenticated client can be revoked.
Revoking a refresh token also revokes active access tokens for that client/user pair.
Responses include Cache-Control: no-store and Pragma: no-cache.

POST /api/oauth/revoke ​

Endpoint ​

Content Type ​

Client Authentication ​

Required form fields ​

Optional form fields ​

Success Response ​

200 OK ​

Error Responses ​

400 Bad Request ​

401 Unauthorized ​

429 Too Many Requests ​

500 Internal Server Error ​

Notes ​

POST /api/oauth/revoke

Endpoint

Content Type

Client Authentication

Required form fields

Optional form fields

Success Response

`200 OK`

Error Responses

`400 Bad Request`

`401 Unauthorized`

`429 Too Many Requests`

`500 Internal Server Error`

Notes