# Revoking a token

Any previously generated access tokens ([refresh tokens](#revoking-a-refresh-token) included) can be revoked before their natural [expiration date](https://docs.commercelayer.io/core/authentication/..#access-token-expiry).

To revoke a token, send a `POST` request to the `/oauth/revoke` endpoint, passing the required parameters in the request body. In addition to the token you need to revoke:

* *non-confidential* (public) API credentials that have a customer or a user in the JWT — e.g. sales channel using the [password](https://docs.commercelayer.io/core/authentication/password) or [JWT bearer](https://docs.commercelayer.io/core/authentication/jwt-bearer) flow — require [the client ID only](#revoking-a-sales-channel-customer-token).
* *confidential* (private) API credentials — e.g. integration, webapps — and *non-confidential* (public) API credentials that don't have a customer or a user in the JWT — e.g. guest sales channels using the [client credentials](https://docs.commercelayer.io/core/authentication/client-credentials) flow — require [also the client secret](#revoking-an-integration-access-token).

### Request

**POST** <https://auth.commercelayer.i&#x6F;**/oauth/revoke>\*\*

### Arguments

| Body parameter      | Type   | Required | Description                                                                                                                                      |
| ------------------- | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`client_id`**     | String | Required | Your client ID (from your API credentials).                                                                                                      |
| **`client_secret`** | String | Optional | Your client secret (required for confidential API credentials and non-confidential API credetials without a customer or a user in the JWT only). |
| **`token`**         | String | Required | A valid access or refresh token.                                                                                                                 |

### Example

#### Revoking a sales channel customer token

{% tabs %}
{% tab title="Request" %}
The following request revokes an access token generated for a sales channel public API credential using the `password` grant type, before its natural expiration date:

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "token": "{{your_access_token}}"
</strong>}'
</code></pre>

{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a `401 Unauthorized` error.
{% endtab %}
{% endtabs %}

#### Revoking an integration access token

{% tabs %}
{% tab title="Request" %}
The following request revokes an access token generated for a private API credential (e.g. integration, webapp, etc.), before its natural expiration date:

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "client_secret": "{{your_client_secret}}",
</strong><strong>  "token": "{{your_access_token}}"
</strong>}'
</code></pre>

{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning an empty object. If you try to authenticate using the revoked access token, the API will return a `401 Unauthorized` error.
{% endtab %}
{% endtabs %}

#### Revoking a refresh token

{% tabs %}
{% tab title="Request" %}
The following request revokes a refresh token used to refresh a customer's access token with a "remember me" option (sales channel), before its natural expiration date:

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/revoke' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "token": "{{your_refresh_token}}"
</strong>}'
</code></pre>

{% hint style="info" %}
To revoke a refresh token used to skip the [authorization code step](https://docs.commercelayer.io/core/authorization-code#getting-an-authorization-code) (webapp), remember to add the webapp client secret to the payload.
{% endhint %}
{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning an empty object.
{% endtab %}
{% endtabs %}