Token Revocation

Revokes an active access token or refresh token, as specified by RFC 7009. This endpoint is idempotent — it always returns 200 OK even if the token does not exist or was already revoked.

When a refresh token is revoked, all access tokens in the same family are also invalidated. Revoking an access token does not automatically revoke the associated refresh token.

Confidential clients authenticate via HTTP Basic or body params. Public clients send only client_id.

Authorization

BasicAuth

Request Body

application/x-www-form-urlencoded

TypeScript Definitions

Use the request body type in TypeScript.

token*string

The token to revoke (access token or refresh token).

token_type_hint?string

Optional hint to speed up internal lookup.

Value in"access_token" | "refresh_token"

client_id?string

Required for public clients (no client_secret).

client_secret?string

Required for confidential clients when not using HTTP Basic auth.

Response Body

`application/json`

curl -X POST "https://api.whatalo.com/oauth/revoke" \  -H "Content-Type: application/x-www-form-urlencoded" \  -d 'token=LKr5XU5xyiD0XscBPSO9tm0DsSK2AKsWL2fOe9an6v8'

Empty

{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}

Authorization

Request Body

Response Body

200

401application/json

`application/json`