REVOCATION Endpoint - Amazon Cognito

REVOCATION Endpoint

The /oauth2/revoke endpoint invalidates all of the access tokens generated by the specified refresh token. After the token is revoked, you can not use the revoked token to access Cognito authenticated APIs.

POST /oauth2/revoke

The /oauth2/revoke endpoint only supports HTTPS POST. The user pool client makes requests to this endpoint directly and not through the system browser.

Request Parameters in Header

Authorization

If the client was issued a secret, the client must pass its client_id and client_secret in the authorization header through Basic HTTP authorization. The secret is Basic Base64Encode(client_id:client_secret).

Content-Type

Must always be 'application/x-www-form-urlencoded'.

Request Parameters in Body

token

The refresh token that the client wants to revoke. All access tokens issued from this refresh token are also revoked.

Required.

client_id

The app client ID for the token that you want to revoke.

Required if the client is public and does not have a secret.

Revocation request examples

Example #1: Revoke a token for an app client without a client secret

POST /oauth2/revoke HTTP/1.1 Host: https://auth-domain.auth.us-east-1.amazoncognito.com Accept: application/json Content-Type: application/x-www-form-urlencoded token=2YotnFZFEjr1zCsicMWpAA& client_id=djc98u3jiedmi283eu928

Example #2: Revoke a token for an app client with a client secret

POST /oauth2/revoke HTTP/1.1 Host: https://auth-domain.auth.us-east-1.amazoncognito.com Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=2YotnFZFEjr1zCsicMWpAA
Revocation error response

A successful response contains an empty body. The error response is a JSON object with an error field and in some cases an error_description field.

Endpoint errors

  • HTTP 400 and error invalid_request is returned if the token is not present in the request or if the feature is disabled for the app client.

  • HTTP 400 and error unsupported_token_type is returned if the token sent in the revocation request is not a refresh token

  • HTTP 401 and error invalid_client is returned if the client credentials are invalid.

  • HTTP 200 if the token has been revoked or if the client submitted an invalid token.