--- title: /oauth2/token/revoke description: Endpoint defined in RFC 7009 Token Revocation to revoke access tokens and refresh tokens. component: pingoneaic page_id: pingoneaic:am-oauth2:oauth2-token-revoke-endpoint canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/oauth2-token-revoke-endpoint.html keywords: ["OAuth 2.0", "Scopes", "Grant Flow", "Endpoints", "Setup & Configuration"] page_aliases: ["oauth2-guide:varlist-oauth2-token-revoke-endpoint.adoc", "oauth2-guide:oauth2-token-revoke-endpoint.adoc"] section_ids: request_parameters: Request parameters responses: Responses --- # /oauth2/token/revoke Endpoint defined in RFC 7009 [Token Revocation](https://www.rfc-editor.org/info/rfc7009) to revoke access tokens and refresh tokens. When you revoke a refresh token, you revoke all tokens issued with the same authorization grant. If you obtained multiple access tokens for a single user with different authorization grants, you must revoke the tokens separately to invalidate each one. Specify the realm in the request URL; for example: ```none https:///am/oauth2/realms/root/realms/alpha/token/revoke ``` ## Request parameters The revoke token endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | `client_assertion` | A signed JSON Web Token (JWT) to use as client credentials. | Yes, for [JWT profile](client-auth-jwt.html) authentication | | `client_assertion_type` | The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`. | Yes, for [JWT profile](client-auth-jwt.html) authentication | | `client_id` | Uniquely identifies the application making the request. | Yes | | `client_secret` | The password for a confidential client. | Yes, when authenticating with [Form parameters (HTTP POST)](client-auth-form.html) | | `token` | The access token or refresh token to revoke. | Yes | | `token_type_hint` | A hint about the type of token to revoke. Valid values are `access_token` and `refresh_token`. | No | The following example revokes a refresh token: ```bash $ curl \ --request POST \ --user "myClient:mySecret" \ --data "client_id=myClient" \ --data "token=refresh-token" \ "https:///am/oauth2/realms/root/realms/alpha/token/revoke" {} ``` ## Responses | HTTP status | Description | | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `200 OK` | Success. The response body is an empty JSON object (`{}`). | | `400` | Missing or invalid client authentication:```json { "error_description":"Client authentication failed", "error":"invalid_client" } ```Malformed request or bad request parameters:```json { "error_description":"error-description", "error":"invalid_request" } ``` | | `500` | Server-side failure:```json { "error": "server_error", "error_description": "Failed to revoke access token" } ``` |