> ## Documentation Index
> Fetch the complete documentation index at: https://docs.panderra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Oauth Revoke

> Revoke a refresh or access token (RFC 7009).

The client tells us which token to invalidate. We:

- look it up as a refresh token by hash, and if found mark it
  revoked. The owning client has to match the authenticated
  client — a client cannot revoke another client's token.
- if the token isn't a known refresh token (or it's a JWT access
  token), we still answer 200 OK. RFC 7009 §2.2 forbids leaking
  whether a token existed, and access tokens are stateless: they
  expire on their own within an hour.

`token_type_hint` is informational only — clients use it to say
"I think this is a refresh_token / access_token". We don't trust
it; we always probe both possibilities.



## OpenAPI

````yaml /api-reference/openapi.json post /oauth/revoke
openapi: 3.1.0
info:
  title: Big Panda — Public API
  description: >-
    Externe REST-API für Connector-Plugins (JTL, Shopware), n8n-Integrationen
    und Custom-Clients. Tenant-Routing über Subdomain, Auth über Bearer-Token.
  version: 0.1.0
servers:
  - url: https://{tenant}.app.big-panda.ai
    description: Big Panda — Tenant-Subdomain. Ersetze {tenant} durch deinen Tenant-Slug.
    variables:
      tenant:
        default: demo
        description: Dein Big-Panda-Tenant-Slug (z.B. 'acme').
security:
  - BearerAuth: []
tags:
  - name: Products
  - name: Knowledge Entries
  - name: Categories
  - name: Sites
  - name: Search
  - name: OAuth
    description: >-
      OAuth-2.1-Authentifizierung — Discovery, Dynamic Client Registration,
      Authorize, Token, Revoke.
paths:
  /oauth/revoke:
    post:
      tags:
        - OAuth
      summary: Oauth Revoke
      description: |-
        Revoke a refresh or access token (RFC 7009).

        The client tells us which token to invalidate. We:

        - look it up as a refresh token by hash, and if found mark it
          revoked. The owning client has to match the authenticated
          client — a client cannot revoke another client's token.
        - if the token isn't a known refresh token (or it's a JWT access
          token), we still answer 200 OK. RFC 7009 §2.2 forbids leaking
          whether a token existed, and access tokens are stateless: they
          expire on their own within an hour.

        `token_type_hint` is informational only — clients use it to say
        "I think this is a refresh_token / access_token". We don't trust
        it; we always probe both possibilities.
      operationId: oauth_revoke_oauth_revoke_post
      parameters: []
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/Body_oauth_revoke_oauth_revoke_post'
        required: true
      responses:
        '200':
          description: Successful Response
          content:
            application/json:
              schema: {}
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
components:
  schemas:
    Body_oauth_revoke_oauth_revoke_post:
      properties:
        token:
          type: string
          title: Token
        token_type_hint:
          anyOf:
            - type: string
            - type: 'null'
          title: Token Type Hint
        client_id:
          anyOf:
            - type: string
            - type: 'null'
          title: Client Id
        client_secret:
          anyOf:
            - type: string
            - type: 'null'
          title: Client Secret
      type: object
      required:
        - token
      title: Body_oauth_revoke_oauth_revoke_post
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: >-
        API-Token aus dem Big-Panda-Admin-UI unter Einstellungen → API-Keys.
        Header: `Authorization: Bearer <token>`.

````