# Revoking a token

Any previously generated access tokens ([refresh tokens](#revoking-a-refresh-token) included) can be revoked before their natural [expiration date](/core/authentication.md#access-token-expiry).

To revoke a token, send a `POST` request to the `/oauth/revoke` endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:

* *non-confidential* (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the [password](/core/authentication/password.md) or [JWT bearer](/core/authentication/jwt-bearer.md) flow — require [the client ID only](#revoking-a-sales-channel-customer-token).
* *confidential* (private) API credentials — e.g. integration, webapps — and *non-confidential* (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the [client credentials](/core/authentication/client-credentials.md) flow — require [also the client secret](#revoking-an-integration-access-token).

### Request

**POST** <https://auth.commercelayer.i&#x6F;**/oauth/revoke>\*\*

### Arguments

| Body parameter      | Type   | Required | Description                                                                                                                                      |
| ------------------- | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`client_id`**     | String | Required | Your client ID (from your API credentials).                                                                                                      |
| **`client_secret`** | String | Optional | Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only). |
| **`token`**         | String | Required | A valid access or refresh token.                                                                                                                 |

### Example

#### Revoking a sales channel customer token

{% tabs %}
{% tab title="Request" %}
The following request revokes an access token generated for a sales channel public API credential using the `password` grant type, before its natural expiration date:

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "token": "{{your_access_token}}"
</strong>}'
</code></pre>

{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a `401 Unauthorized` error.
{% endtab %}
{% endtabs %}

#### Revoking an integration access token

{% tabs %}
{% tab title="Request" %}
The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "client_secret": "{{your_client_secret}}",
</strong><strong>  "token": "{{your_access_token}}"
</strong>}'
</code></pre>

{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a `401 Unauthorized` error.
{% endtab %}
{% endtabs %}

#### Revoking a refresh token

{% tabs %}
{% tab title="Request" %}
The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "token": "{{your_refresh_token}}"
</strong>}'
</code></pre>

{% hint style="info" %}
To revoke a refresh token used to skip the [authorization code step](/core/authentication/authorization-code.md#getting-an-authorization-code) (webapp), remember to add the webapp client secret to the payload.
{% endhint %}
{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning an empty object.
{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.commercelayer.io/core/authentication/revoking-a-token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.