In some cases, a user may want to revoke access given to an application. Programmatic revocation is important in instances where a user logs out, changes identity, unsubscribes, or uninstalls the application.
|Supported HTTP method||POST|
|string||REQUIRED||The token that the client wants to get revoked. Can be access token or refresh token.|
|string||REQUIRED||40-character long string that identifies the client the token belongs to.|
In addition to the parameters above, the client must provide its client secret (provided along with the client key) to authenticate itself. The authentication is done with HTTP Basic authorization method.
Sample HTTP header:
Authorization: Basic bc345abc45d6789abcdef0123aef0126789def01
For example, a client may request the revocation of a token with the following request:
POST /oauth2/token/revoke HTTP/1.1Host: video.ibm.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic bc345abc45d6789abcdef0123aef0126789def01token=5fb2a4aba6157825929b78c56e623613f20033ff&client_id=50aefe42c68cf63b488fc6630b7f0b3b7ae00e8e
The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token. The content of the response body can be ignored by the client as all necessary information is conveyed in the response code.