Token Revocation

The oauth_token_revocation feature allows to invalidate tokens before they expire. It can invalidate both access and refresh tokens; when you do revoke refresh tokens, you’ll also revoke its access token(s).

Who is it for

Applications who want a “logout” type of feature around OAuth; Revocation after token breaches.

How to enable it

plugin :rodauth do
  enable :oauth_token_revocation
end

URL

POST /revoke

This endpoint requires client authorization. Any of the supported auth methods for the token endpoint can be used, as well as token verification (if the resource server issued an access token using the client credentials grant).

The revocation endpoint expects the following parameters:

  • token_type_hint: can be “access_token” or “refresh_token”;
  • token: the access or refresh token to revoke;

Home