Refresh Token Revocation

A Refresh token can be revoked via the revoke endpoint.

To distinguish a refresh token or access token at revocation, the token_type_hint parameter is required. It must have the refresh_token value to indicate it is a refresh token. Otherwise, it is considered as an access token.

Copy

Sample revocation request

POST https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer Z+KhiAAAAWQEKiEgxd7JP59q1VlFDNhm3vLFB6Qu
 
token=35256753&client_id=client_id&token_type_hint=refresh_token
Note: If the refresh token is revoked, the bound session (access token) is revoked as well.

Refresh tokens, as well as bound access tokens, support revocation by public clients. If the client is defined as public, the client_id parameter is required in the revocation request.

Copy

Sample revocation request by public client

POST https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
token=35256753&client_id=client_id&token_type_hint=refresh_token&client_id=OpenID_admin