Invalidate a token Added in 5.5.0

DELETE /_security/oauth2/token

The access tokens returned by the get token API have a finite period of time for which they are valid. After that time period, they can no longer be used. The time period is defined by the xpack.security.authc.token.timeout setting.

The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once. If you want to invalidate one or more access or refresh tokens immediately, use this invalidate token API.

application/json

Responses

DELETE /_security/oauth2/token
curl \
 -X DELETE http://api.example.com/_security/oauth2/token \
 -H "Content-Type: application/json" \
 -d '{"token":"string","refresh_token":"string","realm_name":"string","username":"string"}'
Request examples
{
  "token": "string",
  "refresh_token": "string",
  "realm_name": "string",
  "username": "string"
}
Response examples (200)
{
  "error_count": 42.0,
  "error_details": [
    {
      "type": "string",
      "reason": "string",
      "stack_trace": "string",
      "caused_by": {},
      "root_cause": [
        {}
      ],
      "suppressed": [
        {}
      ]
    }
  ],
  "invalidated_tokens": 42.0,
  "previously_invalidated_tokens": 42.0
}