Revoke tokens

CyberArk Identity provides the client with a mechanism to revoke the ID, access, and refresh tokens. This revocation mechanism allows a client to invalidate its tokens if the end-user logs out, changes identity, or uninstalls the respective application.

The client requests the revocation of a particular token by making an HTTP POST request to the token revocation endpoint URL as below:

POST https://{{tenant_url}}/oauth2/revoke/{{application_id}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded


The client ID and client secret should be passed as authorization header of type Basic. The authorization server responds with HTTP status code 200 if the token has been revoked successfully or the client submitted an invalid token.

Note: invalid tokens do not cause an error response since the client cannot reasonably handle such an error. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.


Integrate revoke token functionality using CyberArk Identity SDKs

CyberArk Identity provides SDKs to integrate revoke token functionality into your applications.