Revoke
Disconnect a client by revoking its refresh token.
POST
RFC 7009 token revocation. Revoking a refresh token revokes the entire grant: every access and refresh token issued under it stops working.
Access tokens can’t be revoked individually. Revoke the grant’s refresh token instead. Per RFC 7009, this endpoint always returns
200 with an empty body.
Body Parameters
The refresh token to revoke.
Optional per RFC 7009. If set to
"access_token", the request fails: access
token revocation isn’t supported. Any other value (including
"refresh_token") is accepted and ignored. Unknown hints don’t affect
behavior.Errors
| Status | error | When |
|---|---|---|
400 | invalid_request | token or client_id is missing, or token_type_hint is "access_token". |
401 | invalid_client | Unknown or disabled client_id. |