Oauth Revoke
OAuth
Oauth Revoke
Revoke a refresh or access token (RFC 7009).
The client tells us which token to invalidate. We:
- look it up as a refresh token by hash, and if found mark it revoked. The owning client has to match the authenticated client — a client cannot revoke another client’s token.
- if the token isn’t a known refresh token (or it’s a JWT access token), we still answer 200 OK. RFC 7009 §2.2 forbids leaking whether a token existed, and access tokens are stateless: they expire on their own within an hour.
token_type_hint is informational only — clients use it to say
“I think this is a refresh_token / access_token”. We don’t trust
it; we always probe both possibilities.
POST
Oauth Revoke
Authorizations
API-Token aus dem Big-Panda-Admin-UI unter Einstellungen → API-Keys. Header: Authorization: Bearer <token>.
Body
application/x-www-form-urlencoded
Response
Successful Response