Token revocation is a critical security feature in OAuth 2.0 that allows clients or authorization servers to invalidate access or refresh tokens before their natural expiration. This capability enhances control over user sessions and reduces risks in compromised environments.

What Is Token Revocation?

Token revocation is the process by which an access or refresh token is deliberately invalidated, rendering it unusable for further API access or token renewal. Unlike token expiration, revocation is immediate and intentional.

Why Use Token Revocation?

  • User logout: Invalidate tokens when a user explicitly logs out.
  • Security breaches: Revoke tokens suspected to be compromised or leaked.
  • Permission changes: When user permissions or roles change, revoke old tokens to enforce new policies.
  • Application uninstall: Revoke tokens if a client app is uninstalled or access is withdrawn.

OAuth 2.0 Token Revocation Endpoint

RFC 7009 defines a standard token revocation endpoint, allowing clients to notify the authorization server to revoke a given token.

Revocation request example (cURL):

curl -X POST "https://auth.example.com/oauth2/revoke" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=ACCESS_OR_REFRESH_TOKEN&token_type_hint=access_token&client_id=your_client_id&client_secret=your_client_secret"
  • token parameter: The token to revoke.
  • token_type_hint (optional): Indicates token type (access_token or refresh_token).
  • Client credentials authenticate the request.

How Authorization Servers Handle Revocation

Upon receiving a valid revocation request:

  • The server immediately marks the token as revoked.
  • The token becomes invalid for any further use.
  • Associated refresh tokens may also be revoked depending on policy.
  • The server returns HTTP 200 OK regardless of token validity to prevent information leakage.

Best Practices for Token Revocation

  • Implement revocation endpoints conforming to RFC 7009.
  • Require client authentication for revocation requests to prevent abuse.
  • Log revocation events for auditing and incident response.
  • Consider cascading revocation for tokens derived from a revoked refresh token.
  • Combine revocation with short-lived access tokens and refresh token rotation.

Real-World Scenario

Imagine a banking app where a user’s device is lost. The user logs into their online account and triggers a global logout. The system revokes all access and refresh tokens issued to that device immediately, preventing unauthorized access.

Summary

Token revocation enhances OAuth 2.0 security by allowing immediate invalidation of tokens. Proper implementation protects users and applications from unauthorized access in dynamic security environments.

👉 Related:

OAuth 2.0 Token Introspection: Real-Time Validation Explained

How OAuth 2.1 Refresh Tokens Work: Best Practices and Expiry

💡 Have you integrated token revocation in your OAuth flows? How do you monitor for unauthorized token usage or revocation events?