Revoking a token
How to revoke any kind of access or refresh token
Any previously generated access tokens (refresh tokens included) can be revoked before their natural expiration date.
To revoke a token, send a POST
request to the /oauth/revoke
endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:
non-confidential (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the password or JWT bearer flow — require the client ID only.
confidential (private) API credentials — e.g. integration, webapps — and non-confidential (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the client credentials flow — require also the client secret.
Request
POST https://auth.commercelayer.io/oauth/revoke
Arguments
client_id
String
Required
Your client ID (from your API credentials).
client_secret
String
Optional
Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only).
token
String
Required
A valid access or refresh token.
Example
Revoking a sales channel customer token
The following request revokes an access token generated for a sales channel public API credential using the password
grant type, before its natural expiration date:
Revoking an integration access token
The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:
Revoking a refresh token
The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:
To revoke a refresh token used to skip the authorization code step (webapp), remember to add the webapp client secret to the payload.
Last updated