Revoking an OAuth access token

OAuth access tokens provide authorized access to APIs, but there are situations where revoking a token is necessary. For example, a token should be revoked when the token is compromised, is no longer needed, or should be invalidated for security reasons. Revoking an access token immediately and permanently invalidates it and is irreversible. Once revoked, the token cannot be used again.

This article explains how to revoke OAuth access tokens, either by specifying a token id or by revoking the currently active token.

Revoking an access token by id

You can use the Revoke Token endpoint to revoke an access token by id. You can use this method for managing multiple tokens and selectively revoking specific ones.

Each access token has an associated unique id required to revoke it. If you don't know the token id, retrieve it using Getting information about access tokens.

Here is an example request that revokes an access token by id:

curl https://{subdomain}.zendesk.com/api/v2/oauth/tokens/{oauth_token_id}.json \  -X DELETE \  -v -u {email_address}/token:{api_token}

A successful response returns a 204 No Content status, indicating the token was revoked and is no longer valid.

// Status 204 No Contentnull

Revoking a known access token

You can revoke a known access token that you've used to make Zendesk API requests. Zendesk provides a dedicated endpoint to revoke this access token.

curl https://{subdomain}.zendesk.com/api/v2/oauth/tokens/current.json \  -X DELETE \  -H "Authorization: Bearer {access_token}" \  -v

A successful response returns a 204 No Content status, indicating the token was revoked and is no longer valid.

// Status 204 No Contentnull