Introducing our brand new Rules Engine —
Read the docs
LogoLogo
Core APIOther APIsChangelog
Getting started
Getting started
  • Welcome to Commerce Layer
    • Guided setup
    • Manual configuration
  • API specification
  • API credentials
  • Authentication
    • Client credentials
    • Password
    • Authorization code
    • Refresh token
    • JWT bearer
    • Revoking a token
  • Roles and permissions
  • Fetching resources
  • Fetching relationships
  • Including associations
  • Sparse fieldsets
  • Sorting results
  • Pagination
  • Filtering data
  • Creating resources
  • Updating resources
  • Tagging resources
  • Deleting resources
  • Importing resources
  • Exporting resources
  • Cleaning up resources
  • External resources
    • External order validation
    • External prices
    • External shipping costs
    • External payment gateways
    • External promotions
    • External tax calculators
  • Rate limits
  • Handling errors
  • Real-time webhooks
  • Callbacks security
On this page
  • Request
  • Arguments
  • Example
  1. Authentication

Revoking a token

How to revoke any kind of access or refresh token

PreviousJWT bearerNextRoles and permissions

Last updated 9 months ago

Any previously generated access tokens ( included) can be revoked before their natural .

To revoke a token, send a POST request to the /oauth/revoke endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:

  • non-confidential (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the or flow — require .

  • confidential (private) API credentials — e.g. integration, webapps — and non-confidential (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the flow — require .

Request

POST https://auth.commercelayer.io/oauth/revoke

Arguments

Body parameter
Type
Required
Description

client_id

String

Required

Your client ID (from your API credentials).

client_secret

String

Optional

Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only).

token

String

Required

A valid access or refresh token.

Example

Revoking a sales channel customer token

The following request revokes an access token generated for a sales channel public API credential using the password grant type, before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "token": "{{your_access_token}}"
}'

On success, the API responds with a 200 OK status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a 401 Unauthorized error.

Revoking an integration access token

The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "client_secret": "{{your_client_secret}}",
  "token": "{{your_access_token}}"
}'

On success, the API responds with a 200 OK status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a 401 Unauthorized error.

Revoking a refresh token

The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "token": "{{your_refresh_token}}"
}'

On success, the API responds with a 200 OK status code, returning an empty object.

To revoke a refresh token used to skip the (webapp), remember to add the webapp client secret to the payload.

password
JWT bearer
client credentials
refresh tokens
the client ID only
also the client secret
expiration date
authorization code step