PUT oauth/admin/token/revoke

Revokes an existing OAuth grant.

You can send the two parameters, client_id and client_secret, either in form parameters or in the Basic authorization header.

Authorization Roles/Permissions: Must be an authorized user for the resource.

This topic includes the following sections:

HTTP Method

PUT

URL

https://{oauth-provider-url}/oauth/admin/token/revoke

Sample Request

The example below shows a request for client information for the OAuth Provider.

Sample Request URL

https://{oauth-provider-url}/oauth/admin/token/revoke

Sample request headers

Accept: application/json
Cookie: OAuthToken_{OAuthProviderName}={Cookie value (usually starts with TokenID)}

Sample request body

The example below shows the request parameters sent as Authorization headers.

Revoke Token API call

Request Headers

For general information on request header values, refer to HTTP Request Headers.

Header Description
Accept application/xml
Content-Type application/x-www-form-urlencoded
Cookie OAuthToken_{OAuthProviderName}—The OAuth cookie that identifies the logged-in user with the provider. Depending on the operation being used and the context, the authenticated user could be the resource owner, the administrator, the client app administration, or the OAuth Provider. The cookie is returned after logging in with the POST /oauth/login operation.

Request Parameters

Parameter Parm Type Data Type Required Description
client_id Form String Required as parameter or in header

The client ID for the OAuth grant that is being revoked.

You could also send this in a Basic Authorization header, a Base64-encoded form of app_id:shared_secret. In this context, both values are the app credentials, available from the App Details page, Security section: app_id is the AppID value, in the format {tenant}-{uniqueid), and the shared_secret value is also in the Security section.

To get the app_id value, called identity in the API response: GET /api/apps/versions/{AppVersionID} operation.

To get the shared secret: GET /api/apps/versions/{AppVersionID}/secret operation.

See example.

client_secret Form String Required as parameter or in header The Shared Secret value for the app. Used in the Basic authorization header, see client_id and example.
access_token Form String Required

The access token that is being revoked.

You could also send this in a Bearer Authorization header. See example.

If you are not sure of the access_token value, you can use the POST /oauth/oauth20/token operation to retrieve the value.

Response

If successful, this operation returns HTTP status code 200 or 204, with no response content:

  • If the request was valid and the grant was found and revoked, a 200 is returned.
  • If the request was valid but there was nothing to revoke—for example, the grant had already expired—a 204 is returned.

Sample Response

The sample response below shows successful completion of this operation.

Sample response headers

HTTP/1.1 200 OK
Content-Type: application/json

Sample response body

None.

Response Headers

For general information on response header values, refer to HTTP Response Headers.

Header Description
Content-Type application/xml

Response Body

None.

Error Codes/Messages

If the call is unsuccessful an error code/message is returned. One or more examples of possible errors for this operation are shown below.

Item Value
401 Unauthorized. For example, you would get this response if you didn't include the OAuthToken_{OAuthProviderName} cookie, or if you included an invalid cookie.
404

The resource could not be found. For example, you might get this if you have a typo in the URL, or if the Accept header is set to a wrong value.

You would also get this if you were using the wrong HTTP verb.

500 An error occurred processing the call.

More information about Akana OAuth API error messages.