ESSign In
OAuth 2.1

Token Revocation (RFC 7009)

Revoke active access tokens or refresh tokens immediately.

The revocation endpoint (RFC 7009) allows you to invalidate an active token. It is idempotent: it always returns 200 OK even if the token does not exist or was already revoked.

Endpoint

POST https://app.whatalo.com/oauth/revoke
Content-Type: application/x-www-form-urlencoded

Authentication required

Confidential clients must authenticate with HTTP Basic or body params:

POST /oauth/revoke
Content-Type: application/x-www-form-urlencoded
Authorization: Basic BASE64(client_id:client_secret)

token=THE_TOKEN_TO_REVOKE
&token_type_hint=refresh_token

Public clients send only client_id without a secret:

token=THE_TOKEN_TO_REVOKE
&client_id=abc123def456ghi789jkl012
&token_type_hint=access_token

Parameters

ParameterRequiredDescription
tokenYesThe token to revoke (access token or refresh token)
token_type_hintNoaccess_token or refresh_token — hint to speed up internal lookup

Response

HTTP/1.1 200 OK

No response body. 200 OK is always returned, even if the token did not exist.

Primary use case: user sign-out

When the user signs out of your app, revoke both the access_token and the refresh_token:

async function logout(accessToken, refreshToken, clientId, clientSecret) {
  const credentials = Buffer.from(`${clientId}:${clientSecret}`)
    .toString("base64");
  const headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Authorization": `Basic ${credentials}`,
  };

  // Revoke both tokens — order doesn't matter
  await Promise.all([
    fetch("https://app.whatalo.com/oauth/revoke", {
      method: "POST",
      headers,
      body: new URLSearchParams({
        token: accessToken,
        token_type_hint: "access_token",
      }),
    }),
    fetch("https://app.whatalo.com/oauth/revoke", {
      method: "POST",
      headers,
      body: new URLSearchParams({
        token: refreshToken,
        token_type_hint: "refresh_token",
      }),
    }),
  ]);
}

Cascade revocation from Whatalo

Critical note for integrations: when a merchant revokes a connected app from the Whatalo settings interface, all access_token and refresh_token values for that combination (client, user, store) are revoked atomically and immediately.

If your Resource Server caches active: true responses from the introspection endpoint for more than 60 seconds, it will continue accepting revoked tokens during that interval.

Effect on introspection after revocation

Immediately after revoking a token, the introspection endpoint returns:

{ "active": false }

Even if the token had not yet expired.

Introspection responseRecommended cache TTL
active: trueAt most 60 seconds
active: falseDo not cache

This ensures that a user-initiated revocation takes effect in your system within one minute.

Token Introspection (RFC 7662)

Validate Whatalo Bearer tokens from your Resource Server.

OAuth Scopes

The 17 available scopes and the access each one grants.

On this page

Endpoint
Authentication required
Parameters
Response
Primary use case: user sign-out
Cascade revocation from Whatalo
Effect on introspection after revocation
Recommended cache TTL