Token Revocation
  • 04 Apr 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

Token Revocation

  • Dark
    Light
  • PDF

Article summary

This mechanism allows clients to notify the authorization server that a previously obtained Refresh Token is no longer needed (note that an Access Token cannot be revoked).

A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant.

The OAuth 2.0 Token Revocation endpoint requires authentication. Authentication is done with client_id and client_secret.

The client must send these as Authorization header HTTP basic auth using client_id as username and client_secret as password. Credentials must be base64 encoded.

Authorization: Basic base64encode("client_id:client_secret")

NOTE! If the client is not required to use client_secret (for example client use PKCE flow), the client_secret is not required and can be left empty in the Authorization header ("client_id:").

Example:

      curl --request POST --url https://connect.visma.com/connect/revocation --header 'authorization: Basic base64encode

Parameters:

Name

Example Value

Required

Description

token

45ghiukldjahdnhzdauz

yes

token string

token_type_hint

refresh_token

no

refresh_token

Possible HTTP status code responses:

200 OK - if Token is removed successfully
400 Bad Request - if the the client is invalid
401 Unauthorized - if the client is not authorized to remove the token


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.