Revoking OAuth Tokens

On this page

Revoking OAuth Access and Refresh Tokens

Access tokens and refresh tokens expire at some point in time. Access tokens tend to expire quickly, whereas refresh tokens last longer. Their validity period is set when created. The period for which they are valid depends on factors such as:

  • How the user authenticated and when
  • The client application that was used
  • The scopes that the user delegated

Other contextual information can be considered when setting the duration of validity as well. When a token should be expired before this time, it should be revoked.


This tutorial builds on the configuration setup described in the steps First Configuration and Configure an Authenticator under the menu Getting Started. If you have not gone through those steps yet, you can visit the guides by clicking on the links.

You may run this tutorial on a custom setup also, but keep in mind that names and URLs may be different, as well as the capabilities configured in the profiles.

You will also need a client that can provide access tokens and refresh tokens. If you follow the code flow tutorial, you will have obtained both.


Revoke Endpoint

Revoke Flow
  1. The client sends the token to be revoked along with credentials to the revoke endpoint
  2. The server responds an empty body and a status code

For more details about how revocation works see OAuth Revoke.

Setup in Curity

No additional setup is needed from the previous steps.

Making Requests with the Client

After obtaining tokens using any flow, a request to the revoke endpoint can be made. The endpoint path can be configured to be any path, but in the default setup it can be found at https://localhost:8443/oauth/v2/oauth-revoke

curl -X POST \
https://localhost:8443/oauth/v2/oauth-revoke \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=www&client_secret=THE_SECRET&token=5137ace0-3805-4338-be5a-56ed4f001cf4'

The response should be a 200. Now the token is revoked and can no longer be used.

The same call can be used for a refresh token. After revoking a refresh token it is no longer possible to use neither of the tokens.

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial