Revoking a token
How to revoke any kind of access or refresh token
Any previously generated access tokens (refresh tokens included) can be revoked before their natural expiration date.
To revoke a token, send a POST
request to the /oauth/revoke
endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:
non-confidential (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the password or JWT bearer flow — require the client ID only.
confidential (private) API credentials — e.g. integration, webapps — and non-confidential (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the client credentials flow — require also the client secret.
Request
POST https://auth.commercelayer.io/oauth/revoke
Arguments
client_id
String
Required
Your client ID (from your API credentials).
client_secret
String
Optional
Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only).
token
String
Required
A valid access or refresh token.
Example
Revoking a sales channel customer token
The following request revokes an access token generated for a sales channel public API credential using the password
grant type, before its natural expiration date:
curl -g -X POST \
'https://auth.commercelayer.io/oauth/revoke' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "{{your_client_id}}",
"token": "{{your_access_token}}"
}'
Revoking an integration access token
The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:
curl -g -X POST \
'https://auth.commercelayer.io/oauth/revoke' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "{{your_client_id}}",
"client_secret": "{{your_client_secret}}",
"token": "{{your_access_token}}"
}'
Revoking a refresh token
The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:
curl -g -X POST \
'https://auth.commercelayer.io/oauth/revoke' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "{{your_client_id}}",
"token": "{{your_refresh_token}}"
}'
Last updated