Revoking a token

How to revoke any kind of access or refresh token

Any previously generated access tokens (refresh tokens included) can be revoked before their natural expiration date.

To revoke a token, send a POST request to the /oauth/revoke endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:

non-confidential (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the password or JWT bearer flow — require the client ID only.
confidential (private) API credentials — e.g. integration, webapps — and non-confidential (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the client credentials flow — require also the client secret.

Request

POST https://auth.commercelayer.io/oauth/revoke

Arguments

Body parameter Type Required Description

Body parameter	Type	Required	Description
`client_id`	String	Required	Your client ID (from your API credentials).
`client_secret`	String	Optional	Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only).
`token`	String	Required	A valid access or refresh token.

client_id

String

Required

Your client ID (from your API credentials).

client_secret

String

Optional

Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only).

token

String

Required

A valid access or refresh token.

Example

Revoking a sales channel customer token

The following request revokes an access token generated for a sales channel public API credential using the password grant type, before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "token": "{{your_access_token}}"
}'

On success, the API responds with a 200 OK status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a 401 Unauthorized error.

Revoking an integration access token

The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "client_secret": "{{your_client_secret}}",
  "token": "{{your_access_token}}"
}'

On success, the API responds with a 200 OK status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a 401 Unauthorized error.

Revoking a refresh token

The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "token": "{{your_refresh_token}}"
}'

To revoke a refresh token used to skip the authorization code step (webapp), remember to add the webapp client secret to the payload.

On success, the API responds with a 200 OK status code, returning an empty object.

PreviousJWT bearer NextRoles and permissions

Last updated 3 months ago