Revoking tokens

A client app may revoke access and refresh tokens received from the Authorization Server by sending a revocation request to the revocation endpoint.

Access tokens

In all three available OAuth 2.0 flows, client apps receive access tokens that they use to access resource owner's data. These access tokens have a predefined lifespan of 1800 seconds. Typically, confidential and trusted client apps that no longer use an access token whose lifespan hasn't expired can revoke the token. By revoking the access token, they allow the Authorization Server to clean up any security credentials associated with the authorization.

For example, to implement a logout functionality, a client app may revoke the access token to force the user to authenticate again or, if available, use a refresh token to renew the access token.

Note: Revoking an access token doesn't revoke the associated refresh token.

Refresh tokens

In the authorization code grant flow, client apps receive refresh tokens that they use to generate new access tokens. These refresh tokens have a predefined lifespan of 20000 seconds. If a client app no longer uses a refresh token and the lifespan of this refresh token hasn’t expired, it’s best practice to revoke the token. This reduces the threat of an unauthorized party intercepting the token and getting access to resource owners’ data.

For example, if an end user authorized an event planner client app to add selected events to their phone calendar, a client app may no longer need a refresh token when the user finishes the events selection and closes the app. In such case, the client app may instantly revoke the refresh token and reduce the time during which the token is vulnerable to security threats.

Note: Revoking a refresh token doesn't revoke the associated access token.

Revocation endpoint

To revoke an access or refresh token, a client app should send a request to the following endpoint:
Authorization: Basic <client-id>,<client-secret> 
Content-Type: application/x-www-form-urlencoded 

Note the parameters in the request:
An access or refresh token.
Revoking a valid, invalid, expired, or already revoked token will return the following response:
HTTP/1.1 200
Content-Length: 0

For details, see RFC 6749 and RFC 7009.