Token Revocation
Token Revocation
When a user logs out of your application or you need to invalidate their SeloraX session, revoke their tokens.
POST /api/oauth/revoke
This endpoint is rate limited to 10 requests per minute.
Request Body
{
"token": "sx_it_...",
"token_type_hint": "access_token",
"client_id": "sx_oc_...",
"client_secret": "sx_os_..."
}| Field | Required | Description |
|---|---|---|
token | Yes | The token to revoke (access or refresh) |
token_type_hint | No | access_token or refresh_token. Helps the server find the token faster. |
client_id | Yes | Your client ID |
client_secret | Yes (confidential) | Required for confidential clients. Without it, the token will not be revoked. |
:::warning
For confidential clients, client_secret is mandatory. If you omit it or provide an invalid secret, the server returns 200 OK (per RFC 7009) but the token is not revoked. Always include your client secret.
:::
Response
Per RFC 7009, the revocation endpoint always returns HTTP 200, even if the token was already revoked, invalid, or the client failed authentication:
{
"message": "OK",
"status": 200
}This prevents token information leakage — an attacker cannot determine whether a token was valid by checking the response.
Behavior
- Revoking an access token also invalidates the associated refresh token. Both tokens in the pair are cleared in a single atomic operation.
- Revoking a refresh token also invalidates the associated access token. Both tokens in the pair are cleared in a single atomic operation.
- The Redis cache for the revoked tokens is immediately invalidated.
:::info Unlike some OAuth providers that allow independent token revocation, SeloraX always revokes the entire token pair regardless of which token you submit. This is a security decision — partial revocation could leave a valid refresh token that generates new access tokens. :::
Example: Logout Flow
async function logout(accessToken, refreshToken) {
// Revoke the refresh token (also invalidates the access token)
await fetch('https://api.selorax.io/api/oauth/revoke', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
token: refreshToken,
token_type_hint: 'refresh_token',
client_id: process.env.SELORAX_CLIENT_ID,
client_secret: process.env.SELORAX_CLIENT_SECRET,
}),
});
// Clear local session
req.session.destroy();
}:::tip Revoke the refresh token during logout. This invalidates the entire token pair in one call. :::