OAuth

Revoke an access token (RFC 7009)

Marks an access token as revoked. Subsequent requests presenting it return 401 unrecognized_token. Always returns 200 for valid client credentials, regardless of whether the token existed — per RFC 7009 to avoid leaking token-existence information.

Request Body

TypeScript Definitions

Use the request body type in TypeScript.

token?string

client_id?string

client_secret?string

Response Body

`application/json`

curl -X POST "https://example.com/oauth/revoke" \  -H "Content-Type: application/json" \  -d '{}'

{}

{  "error": "string",  "error_description": "string"}

Introspect an access token (RFC 7662) POST

Returns metadata about an access token (or {active: false} for an unknown, expired, or revoked token). The OAuth application must authenticate either via HTTP Basic or via client_id/client_secret in the body — the same credentials that minted the token.

Revoke an access token (RFC 7009)

Request Body

Response Body

200application/json

401application/json

`application/json`

`application/json`