Oauth
Revoke access token or refresh token
Revokes an access token or refresh token, immediately invalidating it and blocking associated tokens from making further requests.
When to revoke
- User disconnects their DoorFlow account from your integration
- User logs out
- Security breach - revoke compromised tokens
- Application uninstall
Important
- We recommend revoking the refresh_token - this will invalidate all associated access tokens
- Returns HTTP 200 even if the token was already invalid (prevents token scanning attacks)
- Client authentication is required via HTTP Basic Auth header
Authentication
You must authenticate using HTTP Basic Authentication with your client credentials:
1. Combine your client_id and client_secret as: {client_id}:{client_secret}
2. Encode using URL-safe Base64
3. Include in Authorization header: Authorization: Basic {encoded_credentials}
POST
/oauth/revoke
Authentication
This endpoint requires authentication:
basic Auth
Authentication is required for this endpoint.
Parameters
Header Parameters
Authorization
string
HTTP Basic Authentication using client_id:client_secret encoded with URL-safe Base64
Responses
200
Token revocation successful or token was already invalid. Returns HTTP 200 even for invalid tokens because: - The client cannot handle such errors in a reasonable way - The purpose of invalidating the token is already achieved - Prevents information leakage about token validity Empty JSON response body.
403
Forbidden - Client credentials not submitted correctly or you are not authorized to revoke this token. Common causes: - Not using HTTP Basic Authentication scheme - Credentials not encoded with URL-safe Base64 - Attempting to revoke a token that belongs to another client
Response Fields
error
string
eg. unauthorized_client
error_description
string
eg. You are not authorized to revoke this token