Revoke OAuth Tokens Programmatically
Revoke an OAuth token if you don’t want a client to access Salesforce data or if you don’t trust the client to discontinue access on its own.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: All Editions |
After a client—via a connected app or external client app—receives an access or refresh token from an OAuth 2.0 authorization flow, it can use the token to access data. You can revoke the app’s access token, or the refresh token and all related access tokens, using revocation. Developers can revoke the token when configuring a log-out button in their app.
Use one of these methods to revoke a connected app or external client app's access or refresh tokens. These methods are supported for opaque tokens and JSON Web Token (JWT)-based access tokens. To revoke a Data Cloud access token, see Revoke Data Cloud Access Tokens.
Revoke Tokens with a POST Request
To revoke OAuth 2.0 tokens, use the revocation endpoint.
https://MyDomainName.my.salesforce.com/services/oauth2/revokeConstruct a POST request that uses the application/x-www-form-urlencoded format in the HTTP request
entity-body. For example, use this request format to revoke opaque tokens and named
user JWT-based access
tokens.
POST /services/oauth2/revoke HTTP/1.1
Host: https://MyDomainName.my.salesforce.com
Content-Type: application/x-www-form-urlencoded
token=currenttokenTo revoke a JWT-based access token issued to a guest user, there are some extra
headers. Include an Auth-Request-Type header
with the value guest and a Uvid-Hint header with the guest user's unique
visitor ID (UVID). Here's an example request to revoke a guest JWT-based access
token.
POST /services/oauth2/revoke? HTTP 1.1
Host:https://MyDomainName.my.salesforce.com
Content-Type: application/x-www-form-urlencoded
Auth-Request-Type: guest
Uvid-Hint: <UVID value>
token=currenttokenIf an opaque or JWT-based access token is included, Salesforce invalidates it and revokes the token. If a refresh token is included, Salesforce revokes it and any associated access tokens. If a delete token is included, Salesforce queries it and revokes the refresh token and associated access tokens.
Salesforce indicates successful processing of the request by returning an HTTP 200 status code. For all error conditions, Salesforce returns a 400 status code along with one of these error responses.
unsupported_token_type—Token type not supportedinvalid_token—Token was invalid
For a sandbox, use MyDomainName--SandboxName.sandbox.my.salesforce.com instead of MyDomainName.my.salesforce.com.
Revoke Tokens with JSONP
The Salesforce revocation endpoint accepts GET requests with an additional callback
parameter and returns the response with content type application/javascript. For example:
https://MyDomainName.my.salesforce.com/services/oauth2/revoke?token=XXXXX&callback=myCallbackIf the request is successful, a callback is sent to the JavaScript function set in the callback parameter of the GET.
myCallback({});If the response isn’t successful, a callback is sent with an error code.
myCallback({"error":"invalid_token"});Revoke Tokens with Apex
To revoke tokens with Apex, use the revokeToken(type,
AuthToken) method in the Auth.OauthToken class. See the OauthToken Class in
the Apex Reference Guide.
