Invalidate a token Added in 5.5.0
The access tokens returned by the get token API have a finite period of time for which they are valid.
After that time period, they can no longer be used.
The time period is defined by the xpack.security.authc.token.timeout setting.
The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once. If you want to invalidate one or more access or refresh tokens immediately, use this invalidate token API.
Body Required
-
token string
-
refresh_token string
-
realm_name string
-
username string
DELETE /_security/oauth2/token
curl \
-X DELETE http://api.example.com/_security/oauth2/token \
-H "Content-Type: application/json" \
-d '{"token":"string","refresh_token":"string","realm_name":"string","username":"string"}'
Request examples
{
"token": "string",
"refresh_token": "string",
"realm_name": "string",
"username": "string"
}
Response examples (200)
{
"error_count": 42.0,
"error_details": [
{
"type": "string",
"reason": "string",
"stack_trace": "string",
"caused_by": {},
"root_cause": [
{}
],
"suppressed": [
{}
]
}
],
"invalidated_tokens": 42.0,
"previously_invalidated_tokens": 42.0
}