Skip to main content
POST
/
api
/
auth
/
revoke
Revoke Token
curl --request POST \
  --url https://api.example.com/api/auth/revoke \
  --header 'Content-Type: application/json' \
  --data '
{
  "RefreshToken": "<string>",
  "Reason": "<string>"
}
'
{
  "Message": "<string>"
}

Description

Revokes a refresh token, effectively logging out the user from that session. This should be called when a user explicitly logs out.

Authentication

Requires valid JWT access token in the Authorization header. Header: Authorization: Bearer <access_token>

Request Body

RefreshToken
string
required
The refresh token to revoke.
Reason
string
Optional reason for revoking the token (e.g., “User logout”, “Security concern”).

Response

Message
string
Confirmation message indicating the token was successfully revoked.

Status Codes

  • 200 OK: Token successfully revoked
  • 401 Unauthorized: Invalid access token, invalid refresh token, or token already revoked

Example Request

cURL
curl -X POST http://localhost:5000/api/auth/revoke \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -d '{
    "RefreshToken": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "Reason": "User logout"
  }'

Example Response

200 OK
{
  "Message": "Token revocado exitosamente."
}
401 Unauthorized
{
  "message": "Refresh token inválido o ya revocado."
}

Usage Notes

  • This endpoint requires authentication, so you must include a valid access token in the Authorization header
  • Once revoked, the refresh token cannot be used to obtain new access tokens
  • The Reason parameter is optional but recommended for audit logging