Revoke Access Token
Overview
Revokes (invalidates) an OAuth access token by its token_id. Use this to immediately block a compromised or no-longer-needed token.
Endpoint Details
| Definition | Description |
|---|---|
| Endpoint | https://api.paas-sandbox.co.passportfintech.com/v1/iam/oauth/tokens/:token_id |
| Method | DELETE |
| Headers | Accept-Language, Content-Length, Content-Type: application/json, Authorization |
| Authentication | Access Token (Bearer Token) |
Request Body
| Field | Type | Description |
|---|---|---|
| token_id | String | Unique identifier of the access token. |
Example Request
6
curl --location --request DELETE 'https://api.paas.sandbox.co.passportfintech.com/v1/iam/oauth/tokens/249a0a2e-028a-4e15-a841-de9fd4e4cd84' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \--data '{ "token_id": "249a0a2e-028a-4e15-a841-de9fd4e4cd84"}'Response
This endpoint does not return any response body. A successful revocation will show a status code of 200.
Common Errors and Handling
| HTTP Status Code | Meaning | Description |
|---|---|---|
| 400 | Bad Request | Malformed token_id in path or body |
| 401 | Unauthorized | Missing/expired bearer token or token lacks iam.oauth.tokens.delete scope |
| 403 | Forbidden | Authenticated caller cannot revoke this token |
| 404 | Not Found | token_id does not exist or was already revoked |
| 409 | Conflict | Token is already revoked or in a non-revocable state |
| 500 | Server Error | Unexpected error; retry or contact support |
Best Practices
- Always send the token_id in both path parameter and body to avoid mismatches.
- Treat
200 OKas confirmation of success. - In case of security incidents, combine this with List Tokens to identify and revoke other active tokens quickly.