On This Page

If you would like to disable an access or refresh token, simply send a request to the /revoke endpoint for the appropriate Authorization Server.

This example makes a request to revoke an access token issued by the Org Authorization Server. The URL of the Authorization Server for your request might be different than this example. See Authorization Servers for more information.

http --form POST https://${yourOktaDomain}/oauth2/v1/revoke \
  accept:application/json \
  authorization:'Basic ZmEz...' \
  cache-control:no-cache \
  content-type:application/x-www-form-urlencoded \
  token=eyJhbG... \

Note: Revoking a token that is invalid, expired, or already revoked returns a 200 OK status code to prevent any information leaks.

See Revoke a token in the Okta OpenID Connect & OAuth 2.0 API reference.


If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).