Token Revocation

Revoking a token

Applications can programmatically revoke the access a user has given to it. Revocation is important when a user unsubscribes or removes an application. Part of the removal process should include an API request to removed permissions granted to the application. Additionally, to "logout" a user an application should revoke any tokens issued to it.

Tokens can be revoked by sending to the token to revoke to Authorization Server via a PUT request.

Base URL:

Revocation Parameters

Name Description Required? Expected / Sample Values
access_token The access token you want to revoke No, (this or the refesh_token parameter are required)
refresh_token The refresh token you want to revoke No, (this or the access_token parameter are required) rt_123456789

Example Request

PUT /oauth2/revoke?access_token=tk_kteh1Qg3t8Qo5BZN9xbJKVvdIwj98ZcbKXtl HTTP/1.1

Example Response

HTTP/1.1 200 OK
Date: Wed, 24 May 2017 15:55:50 GMT
Server: Apache
X-OCLC-RequestId: 52e47a1e-0715-4dbb-aedd-8ff922c96b4d
Content-Length: 0
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/plain