Refresh Token Revocation
A Refresh token can be revoked via the revoke endpoint.
To distinguish a refresh token or access token at revocation, the token_type_hint parameter is required. It must have the refresh_token value to indicate it is a refresh token. Otherwise, it is considered as an access token.
Sample revocation request
POST https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer Z+KhiAAAAWQEKiEgxd7JP59q1VlFDNhm3vLFB6Qu
token=35256753&client_id=client_id&token_type_hint=refresh_token
Refresh tokens, as well as bound access tokens, support revocation by public clients. If the client is defined as public, the client_id parameter is required in the revocation request.
Sample revocation request by public client
POST https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
token=35256753&client_id=client_id&token_type_hint=refresh_token&client_id=OpenID_admin