Invalidate token API
editInvalidate token API
editInvalidates an access token or a refresh token.
Request
editDELETE /_xpack/security/oauth2/token
Description
editThe access tokens returned by the get token API have a
finite period of time for which they are valid and after that time period, they
can no longer be used. That time period is defined by the
xpack.security.authc.token.timeout
setting. For more information, see
Token service settings.
The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once.
If you want to invalidate an access or refresh token immediately, use this invalidate token API.
Request Body
editThe following parameters can be specified in the body of a DELETE request and pertain to invalidating a token:
-
token
(optional) -
(string) An access token. This parameter cannot be used when
refresh_token
is used. -
refresh_token
(optional) -
(string) A refresh token. This parameter cannot be used when
token
is used.
One of token
or refresh_token
parameters is required.
Examples
editThe following example invalidates the specified token immediately:
DELETE /_xpack/security/oauth2/token { "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==" }
whereas the following example invalidates the specified refresh token immediately:
DELETE /_xpack/security/oauth2/token { "refresh_token" : "movUJjPGRRC0PQ7+NW0eag" }
A successful call returns a JSON structure that indicates whether the token has already been invalidated.