/revoke

Revoke an access token or refresh token for the authenticated client.

Endpoint

• Method: POST
• URL: https://sso.user.m7.org/revoke
• Content type: application/x-www-form-urlencoded
• Response: JSON

Client authentication

Current public auth methods:

• client_secret_basic
• client_secret_post

Request fields

• token required
• token_type_hint optional

Current compatibility note:

• the endpoint also accepts refresh_token as an alternate input name
• new integrations should prefer token

Example

curl -sS https://sso.user.m7.org/revoke \
  -u 'CLIENT_ID:CLIENT_SECRET' \
  -d token='TOKEN_TO_REVOKE' \
  -d token_type_hint='refresh_token'

Success response

Current success responses are empty JSON objects or equivalent empty JSON bodies, for example:

{}

Common errors

• invalid_request
• invalid_client
• insufficient_scope

Notes

• If the token can be decoded locally and clearly belongs to a different client, the request is rejected before the upstream revoke call is made.