Revoke token
Visibility: public · internal ( OpenAPI Custom Extension: x-visibility )
Explicitly revoke an access token before its natural expiration. Once revoked, the token is added to a server-side deny list and will fail introspection checks immediately.
Callers can revoke their own tokens. Tenant administrators can revoke any token within the tenant.
Inspired by RFC 7009 but uses application/json instead of form-encoded requests. This endpoint returns 200 even if the token is already expired, revoked, or unrecognized. This prevents information leakage about token validity.
Resource servers that enforce real-time revocation must call the introspect endpoint for sensitive operations, as self-contained JWT signature verification alone will not detect revoked tokens.
Authorizations
Bearer token authentication using OAuth2/OIDC tokens
Body
The access token (JWT) to revoke.
Response
Token revocation accepted. Per RFC 7009, this status is returned regardless of whether the token was valid, already revoked, or unrecognized.
Always true on successful processing.
true