Token Revocation Endpoint
Overview
The Revocation Endpoint is defined in RFC 7009. It allows clients to notify the IdP that a previously issued Refresh Token or Access Token is no longer needed.
Revocation helps ensure tokens cannot be misused if they are leaked or when a session ends.
Endpoint
The endpoint is advertised in the revocation_endpoint in the metadata exposed by the discovery endpoint and typically is:
POST https://[BASE_URL]/connect/revocation
Parameters (form-encoded)
| Parameter | Required | Description |
|---|---|---|
token |
Yes | The token to revoke (Access or Refresh Token). |
token_type_hint |
Optional | A hint about the type of token (access_token or refresh_token). |
Authentication
- The client must authenticate (e.g., Basic Auth with
client_idandclient_secret).
Response
- A successful revocation request returns HTTP 200 OK with an empty body.
- Even if the token is invalid or already revoked, the IdP returns
200 OK(to prevent token probing).
Usage Example
POST /connect/revocation
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
token=8xLOxBtZp8&token_type_hint=refresh_tokenSecurity Considerations
- RPs should clear local session data after revoking tokens.
Related Endpoints
- Token Endpoint – Issues the tokens that can be revoked.
- Introspection Endpoint – Can check token status after revocation.
- End Session Endpoint – Handles user logout (separate from token revocation).