Revoking a token

How to revoke any kind of access or refresh token

Any previously generated access tokens (refresh tokens included) can be revoked before their natural expiration date.

To revoke a token, send a POST request to the /oauth/revoke endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:

non-confidential (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the password or JWT bearer flow — require the client ID only.
confidential (private) API credentials — e.g. integration, webapps — and non-confidential (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the client credentials flow — require also the client secret.

Request

POST https://auth.commercelayer.io/oauth/revoke

Arguments

Body parameter

Type

Required

Description

client_id

String

Required

Your client ID (from your API credentials).

client_secret

String

Optional

Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only).

token

String

Required

A valid access or refresh token.

Example

Revoking a sales channel customer token

The following request revokes an access token generated for a sales channel public API credential using the password grant type, before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "token": "{{your_access_token}}"
}'

Revoking an integration access token

The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "client_secret": "{{your_client_secret}}",
  "token": "{{your_access_token}}"
}'

Revoking a refresh token

The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_id": "{{your_client_id}}",
  "token": "{{your_refresh_token}}"
}'

To revoke a refresh token used to skip the authorization code step (webapp), remember to add the webapp client secret to the payload.

PreviousJWT bearer NextRoles and permissions

Last updated 10 days ago

hashtagRequest

hashtagArguments

hashtagExample

hashtagRevoking a sales channel customer token

hashtagRevoking an integration access token

hashtagRevoking a refresh token

Request

Arguments

Example

Revoking a sales channel customer token

Revoking an integration access token

Revoking a refresh token