Token Revocation
Check the RFC7009 for a detailed description. According to RFC 7009, a client should revoke the refresh token when no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual refresh token and, if applicable, other refresh tokens based on the same authorization grant. It is not possible to revoke an access token. After a refresh token has been revoked, the client may not continue to use the access token, even if it is still valid. The access token automatically loses its validity after one hour at the latest.
Revoke a Refresh Token
The client builds the request by including the following parameters using the “application/x-www-form-urlencoded” format in a HTTP request entity-body:
POST https://account.ezeep.com/oauth/revoke/
Supported attributes:
| Attribute | Type | Required | Description |
|---|---|---|---|
Authorization |
HTTP Header | Yes | Basic {{base_64_encoded_client_id}} |
Content-Type |
HTTP Header | Yes | application/x-www-form-urlencoded |
token |
string | Yes | The refresh token to be revoked |
If successful, returns HTTP status code without any content.
Example Request
curl -L -X POST "https://account.ezeep.com/oauth/revoke/" \
--header "Authorization: Basic bm9Y...hhcg==" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "token=O1dtH4rqejCzPS2uRYnt"
Example Response
// no content