Revoking OAuth Tokens

Revoking OAuth Tokens


Revoking OAuth Access and Refresh Tokens

Access tokens and refresh tokens expire at some point in time. Access tokens tend to expire quickly, whereas refresh tokens last longer. Their validity period is set when created. The period for which they are valid depends on factors such as:

  • How the user authenticated and when
  • The client application that was used
  • The scopes that the user delegated

Other contextual information can be considered when setting the duration of validity as well. When a token should be expired before this time, it should be revoked.


This tutorial builds on the configuration setup in the “Setup and Getting Started” section and the “Setup a Username Password Authenticator”. If you haven’t done those steps yet you can visit those guides here:

It’s possible to run this tutorial on a custom setup also, but the URLs may be different, as well as the capabilities configured in the profiles.

You will also need a client that can provide access tokens and refresh tokens. If you follow the code flow tutorial, you will have obtained both.


Revoke Endpoint

Revoke Flow

  1. The client sends the token to be revoked along with credentials to the revoke endpoint
  2. The server responds an empty body and a status code

For more details about how revocation works see OAuth Revoke.

Setup in Curity

No additional setup is needed from the previous steps.

Making Requests with the Client

After obtaining tokens using any flow, a request to the revoke endpoint can be made. The endpoint path can be configured to be any path, but in the default setup it can be found at https://localhost:8443/oauth/v2/oauth-revoke

curl -X POST \
  https://localhost:8443/oauth/v2/oauth-revoke \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'client_id=www&client_secret=THE_SECRET&token=5137ace0-3805-4338-be5a-56ed4f001cf4'

The response should be a 200. Now the token is revoked and can no longer be used.

The same call can be used for a refresh token. After revoking a refresh token it is no longer possible to use neither of the tokens.

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Keep up with our latest articles and how-tos using RSS feeds