--- title: Token revocation endpoint description: The token revocation endpoint allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. The revocation request invalidates the actual token and possibly other tokens based on the same authorization grant. component: pingfederate version: 13.1 page_id: pingfederate:developers_reference_guide:pf_token_revoc_endpoint canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_token_revoc_endpoint.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: March 28, 2023 section_ids: endpoint-asrevoke_token-oauth2: "Endpoint: /as/revoke_token.oauth2" oauth-client-identification-and-authentication: OAuth client identification and authentication --- # Token revocation endpoint The token revocation endpoint allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. The revocation request invalidates the actual token and possibly other tokens based on the same authorization grant. The [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009) documentation defines the token revocation endpoint. | | | | - | ------------------------------------------------ | | | This endpoint accepts only the HTTP POST method. | ## Endpoint: /as/revoke\_token.oauth2 | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Only Internally Managed Reference Tokens support direct access token revocation. JSON web token (JWT) type access tokens do not support direct revocation. JWT access tokens can only be indirectly revoked if the associated refresh token is revoked, and the JWT's configuration field **Access Grant GUID Claim Name** is set for the given access token manager instance.However, you can optionally enable direct revocation for self-contained JWT access tokens assigned to them by enabling JWT access token revocation in access token managers. When enabled, the JWTs require a **Client ID Claim Name** and a minimum **JWT ID Claim Length** of 22 alphanumeric characters. For more information, see the JSON token management tabbed topic and its description of the **Enable Token Revocation** checkbox in [Configuring an access token management instance](../administrators_reference_guide/pf_configuring_access_token_management_instance.html). | When the authorization server revokes a refresh token, it also revokes the associated access grant and access tokens. When the authorization server revokes an access token, the associated access grant and refresh token remain untouched with the exception of the implicit grant type. If the **Reuse Existing Persistent Access Grants for GrantTypes** checkbox is selected in the **System > OAuth Settings > Authorization Server Settings** window, the implicit access grant will also be revoked with the access token. The following table describes parameters for this endpoint. The required `Content-Type` value is `application/x-www-form-urlencoded` when transmitting through the HTTP POST method. | Parameter | Description | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `token`(Required) | The token that the client wants to revoke. To avoid recording this parameter in web server logs, only pass it in the message body using the HTTP POST method. | | `token_type_hint` | A hint about the type of token submitted for revocation. PingFederate supports values of `access_token` and `refresh_token`. | The following table describes parameters for this endpoint. The required `Content-Type` value is `application/x-www-form-urlencoded`. ## OAuth client identification and authentication The authentication requirement of this endpoint depends on the client authentication method configured for the clients. | Authentication method | Parameters | | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Client secret | Clients can present their client identifier and client secret using the HTTP Basic authentication scheme, where the client identifier is the username, and the client secret is the password.Clients can provide credentials using the request parameters `client_id` and `client_secret`. This is a sensitive parameter. To avoid recording it in web server logs, only pass in this parameter with the HTTP POST method in the message body, or through the HTTP Basic authentication scheme. | | Client certificate | Clients must present their client certificate for mutual TLS authentication. The issuer and the subject distinguished name (DN) of the client certificate must match values configured for the clients. | | Private key JWT or Client Secret JWT | Clients must include request parameters `client_assertion_type` and `client_assertion` in the message body of their requests.- `client_assertion_type` The value describes the format of the assertion as defined by the authorization server. For the private\_key\_jwt and client\_secret\_jwt client authentication methods, the value is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. - `client_assertion` The value is the authentication token.**Example**``` ... client_assertion_type= urn%3Aietf%3Aparams%3Aoauth% 3Aclient-assertion-type%3Ajwt-bearer& client_assertion= eyJhbGciOiJSUzI1NiIs...LbSWi1YO-TILOd4L7ZCg& ... ``` For readability, line breaks are inserted and the authentication token is truncated.Learn more about the private\_key\_jwt and client\_secret\_jwt client authentication methods in [Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) and [Using Assertions for Client Authentication](https://datatracker.ietf.org/doc/html/rfc7521/#autoid-7). | | None | Clients must pass in the `client_id` parameter in a query string or the message body to identify themselves. |