OAuth 2.0 Token Revocation (RFC 7009)
POST /oauth/revoke
Revokes an access token or refresh token. Body MUST be application/x-www-form-urlencoded. Per RFC 7009 §2.2, the response is 200 OK whether the token was successfully revoked, already revoked, expired, or unknown — this prevents leaking information about token validity. Revoking a refresh token cascades to the entire token family (all access + refresh tokens issued from the same grant). Revoking an access token does NOT cascade.
Request Body
Section titled “Request Body ”object
The token to revoke. Can be either an access token (prefix bwp_at_) or a refresh token (prefix bwp_rt_).
Optional hint about the token type. The server still falls back to the other type if the hinted lookup misses (RFC 7009 §4.1.2).
OAuth client identifier issued by the registration endpoint.
Required for confidential clients; MUST be omitted for public clients.
Responses
Section titled “ Responses ”Token revoked, already revoked, expired, or unknown — all return 200 per RFC 7009 §2.2
RFC 7009 error envelope (invalid_request, invalid_client, invalid_grant)
object
Client authentication failed (invalid_client)