# Token Revocation

The section illustrated how to invalidate the access token and refresh token. When users log out of your application, revoke their access token.

Example request:

```
curl -v -X POST https://{digiRunner_DOMAIN}/oauth/revocation \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'token={access_token} \
-d 'token_type_hint=access_token' \
-d 'client_id={client_id}' \
-d 'client_secret={client_secret}'
```

Parameters with details:

<table><thead><tr><th width="205">Parameter</th><th width="84">Type</th><th width="131">Requirement</th><th>Description</th></tr></thead><tbody><tr><td><code>token</code></td><td>String</td><td>Required</td><td>The access token or refresh token with the client to be revoked</td></tr><tr><td><code>token_type_hint</code></td><td>String</td><td>Required</td><td>To revoke an access token, use <code>access_token</code> as the value; to revoke a refresh token, use <code>refresh_token</code> as the value</td></tr><tr><td><code>client_id</code></td><td>String</td><td>Required</td><td>Client ID registered with digiRunner</td></tr><tr><td><code>client_secret</code></td><td>String</td><td>Optional</td><td><p><strong>Scenario I. Higher-Security (Client Password Required)</strong></p><p>Client Password registered with digiRunner</p><p></p><p><strong>Scenario II. PKCE + Public Client (Client Password Not Required)</strong></p><p>When the <strong>Public Client (With PKCE)</strong> option is selected in digiRunner's <strong>OAuth grant type</strong>, the parameter is not required.</p></td></tr></tbody></table>

### **Example of Successful Response** <a href="#toc163842126" id="toc163842126"></a>

Example:

```
{
"code": "token_revoke_success",
"message": "access token revoke success, jti: 813a1d99-8a72-40a6-bf42-e26df6eadcb0"
}
```

Parameters with details:

<table><thead><tr><th width="168">Parameter</th><th width="84">Type</th><th>Description</th></tr></thead><tbody><tr><td><code>code</code></td><td>String</td><td><p>Custom response code for successful revocation, currently defined as two types:</p><p><code>token_revoke_success</code>, the successful token revocation for this session.</p><p><code>token_already_revoked</code>, the token has already been revoked.</p></td></tr><tr><td><code>message</code></td><td>String</td><td>Details for this successful revocation code</td></tr></tbody></table>

### **Example of Error Response**

If the client password is incorrect, a 401 Unauthorized HTTP status code and JSON response will be returned.

Example:

```
{
"timestamp": "1685332432791",
"status": 401,
"error": "Unauthorized",
"message": "The client account or password is incorrect.clientId: tspldapclient",
"path": "/oauth/revocation"
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tpi.dev/api-integration-guide/token-lifecycle-management-mechanism/token-revocation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.