Token Revocation
- 04 Apr 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Token Revocation
- Updated on 04 Apr 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This mechanism allows clients to notify the authorization server that a previously obtained Refresh Token is no longer needed (note that an Access Token cannot be revoked).
A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant.
The OAuth 2.0 Token Revocation endpoint requires authentication. Authentication is done with client_id and client_secret.
The client must send these as Authorization header HTTP basic auth using client_id as username and client_secret as password. Credentials must be base64 encoded.
Authorization: Basic base64encode("client_id:client_secret")
NOTE! If the client is not required to use client_secret (for example client use PKCE flow), the client_secret is not required and can be left empty in the Authorization header ("client_id:").
Example:
curl --request POST --url https://connect.visma.com/connect/revocation --header 'authorization: Basic base64encodeParameters:
Name | Example Value | Required | Description |
|---|---|---|---|
token | 45ghiukldjahdnhzdauz | yes | token string |
token_type_hint | refresh_token | no | refresh_token |
Possible HTTP status code responses:
200 OK - if Token is removed successfully
400 Bad Request - if the the client is invalid
401 Unauthorized - if the client is not authorized to remove the tokenWas this article helpful?