A Refresh token can be revoked via the revoke endpoint.
To distinguish a refresh token or access token at revocation, the token_type_hint parameter is required. It must have the refresh_token value to indicate it is a refresh token. Otherwise, it is considered as an access token.
Copy
Sample revocation request
POST https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer Z+KhiAAAAWQEKiEgxd7JP59q1VlFDNhm3vLFB6Qu
token=35256753&client_id=client_id&token_type_hint=refresh_tokenNote: If the refresh token is revoked, the bound session (access token) is revoked as well.
Refresh tokens, as well as bound access tokens, support revocation by public clients. If the client is defined as public, the client_id parameter is required in the revocation request.
Copy
Sample revocation request by public client
POST https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
token=35256753&client_id=client_id&token_type_hint=refresh_token&client_id=OpenID_admin
