PingOne Advanced Identity Cloud

/oauth2/token/revoke

Endpoint defined in RFC 7009 Token Revocation to revoke access tokens and refresh tokens.

When you revoke a refresh token, you revoke all tokens issued with the same authorization grant. If you obtained multiple access tokens for a single user with different authorization grants, you must revoke the tokens separately to invalidate each one.

Specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/token/revoke

Request parameters

The revoke token endpoint supports the following parameters:

Parameter Description Required

client_assertion

A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication

client_assertion_type

The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication

client_id

Uniquely identifies the application making the request.

Yes

client_secret

The password for a confidential client.

Yes, when authenticating with Form parameters (HTTP POST)

token

The access token or refresh token to revoke.

Yes

token_type_hint

A hint about the type of token to revoke. Valid values are access_token and refresh_token.

No

The following example revokes a refresh token:

$ curl \
--request POST \
--user "myClient:mySecret" \
--data "client_id=myClient" \
--data "token=refresh-token" \
"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/token/revoke"
{}

Responses

HTTP status Description

200 OK

Success. The response body is an empty JSON object ({}).

400

Missing or invalid client authentication:

{
    "error_description":"Client authentication failed",
    "error":"invalid_client"
}

Malformed request or bad request parameters:

{
    "error_description":"error-description",
    "error":"invalid_request"
}

500

Server-side failure:

{
    "error": "server_error",
    "error_description": "Failed to revoke access token"
}