Invalidate token API
editInvalidate token API
editInvalidates an access token or a refresh token.
Request
editDELETE /_xpack/security/oauth2/token
Description
editThe access tokens returned by the get token API have a
finite period of time for which they are valid and after that time period, they
can no longer be used. That time period is defined by the
xpack.security.authc.token.timeout setting. For more information, see
Token service settings.
The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once.
If you want to invalidate an access or refresh token immediately, use this invalidate token API.
Request Body
editThe following parameters can be specified in the body of a DELETE request and pertain to invalidating a token:
-
token(optional) -
(string) An access token. This parameter cannot be used when
refresh_tokenis used. -
refresh_token(optional) -
(string) A refresh token. This parameter cannot be used when
tokenis used.
One of token or refresh_token parameters is required.
Examples
editThe following example invalidates the specified token immediately:
DELETE /_xpack/security/oauth2/token
{
"token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ=="
}
whereas the following example invalidates the specified refresh token immediately:
DELETE /_xpack/security/oauth2/token
{
"refresh_token" : "movUJjPGRRC0PQ7+NW0eag"
}
A successful call returns a JSON structure that indicates whether the token has already been invalidated.