Skip to main content
POST
/
api
/
{serviceId}
/
auth
/
revocation
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.revocation.process({
    serviceId: "<id>",
    revocationRequest: {
      parameters: "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI&token_type_hint=access_token",
      clientId: "26478243745571",
      clientSecret: "gXz97ISgLs4HuXwOZWch8GEmgL4YMvUJwu3er_kDVVGcA0UOhA9avLPbEmoeZdagi9yC_-tEiT2BdRyH9dbrQQ",
    },
  });

  console.log(result);
}

run();
{
  "resultCode": "A113001",
  "resultMessage": "[A113001] The token has been revoked successfully.",
  "action": "OK"
}
This API is supposed to be called from within the implementation of the revocation endpoint (RFC 7009) of the authorization server implementation in order to revoke access tokens and refresh tokens. The response from /auth/revocation API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of “500 Internal Server Error”. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.
The following illustrates the response which the service implementation should generate and return to the client application.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

INVALID_CLIENT

When the value of action is INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either “400 Bad Request” or “401 Unauthorized”. The description about invalid_client shown below is an excerpt from RFC 6749.
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the WWW-Authenticate response header field matching the authentication scheme used by the client.
In either case, the value of responseContent is a JSON string which can be used as the entity body of the response to the client application.
The following illustrates the response which the service implementation should generate and return to the client application.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

HTTP/1.1 401 Unauthorized
WWW-Authenticate: &#123;challenge&#125;
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application is invalid. The HTTP status of the response returned to the client application must be “400 Bad Request” and the content type must be application/json. RFC 7009, 2.2.1. Error Respons states “The error presentation conforms to the definition in Section 5.2 of [RFC 6749].” The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.
The following illustrates the response which the authorization server implementation should generate and return to the client application.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

OK

When the value of action is OK, it means that the request from the client application is valid and the presented token has been revoked successfully or if the client submitted an invalid token. Note that invalid tokens do not cause an error. See 2.2. Revocation Response for details. The HTTP status of the response returned to the client application must be 200 OK. If the original request from the client application contains callback request parameter and its value is not empty, the content type should be application/javascript and the content should be a JavaScript snippet for JSONP. The value of responseContent is JavaScript snippet if the original request from the client application contains callback request parameter and its value is not empty. Otherwise, the value of responseContent is null.
HTTP/1.1 200 OK
Content-Type: application/javascript
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

Body

parameters
string
required

OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint (RFC 7009) of the authorization server implementation received from the client application.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

clientId
string

The client ID extracted from Authorization header of the revocation request from the client application.

If the revocation endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contains its client ID in Authorization header, the value should be extracted and set to this parameter.

clientSecret
string

The client secret extracted from Authorization header of the revocation request from the client application.

If the revocation endpoint of the authorization server implementation supports basic authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

clientCertificate
string

The client certificate used in the TLS connection between the client application and the revocation endpoint.

clientCertificatePath
string[]

The certificate path presented by the client during client authentication.

oauthClientAttestation
string

The value of the OAuth-Client-Attestation HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

oauthClientAttestationPop
string

The value of the OAuth-Client-Attestation-PoP HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

Response

Token revoked successfully

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take.

Available options:
INTERNAL_SERVER_ERROR,
INVALID_CLIENT,
BAD_REQUEST,
OK
responseContent
string

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.