---
title: Token revocation
framework: signinwithapplerestapi
role: symbol
role_heading: Web Service Endpoint
path: signinwithapplerestapi/revoke-tokens
---

# Token revocation

Invalidate the tokens and associated user authorizations for a user when they are no longer associated with your app.

## URL

POST https://appleid.apple.com/auth/revoke

## Response Codes

200 OK: The request was successful; the provided token has been revoked successfully or was previously invalid. 400 Bad Request: The server was unable to process the request. See the error code description for more information about the underlying error.

## Discussion

Discussion In order to revoke authorization for a user, you must obtain a valid refresh token or access token. If you don’t have either token for the user, you can generate tokens when validating an authorization code. For more information about user tokens and creating client secrets, see Token validation. To invalidate a user’s refresh token, invoke the revoke endpoint with the following HTTP POST method. curl -v POST "https://appleid.apple.com/auth/revoke" \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'client_id=CLIENT_ID' \ -d 'client_secret=CLIENT_SECRET' \ -d 'token=REFRESH_TOKEN' \ -d 'token_type_hint=refresh_token' Additionally, to invalidate a user’s access token, use the following HTTP POST method. curl -v POST "https://appleid.apple.com/auth/revoke" \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'client_id=CLIENT_ID' \ -d 'client_secret=CLIENT_SECRET' \ -d 'token=ACCESS_TOKEN' \ -d 'token_type_hint=access_token' For either token revocation request, the revoke endpoint returns a 200 response code without a response body after the server invalidates the token value, or if the token value was previously invalidated. If the response contains an error, please see ErrorResponse for the specific error code provided in the response body.

## HTTP Body

The list of input parameters required for the server to invalidate the token.

## See Also

### Generating and revoking tokens

- [Creating a client secret](accountorganizationaldatasharing/creating-a-client-secret.md)
- [Fetch Apple’s public key to verify token signatures](signinwithapplerestapi/fetch-apple's-public-key-for-verifying-token-signature.md)
- [Token validation](signinwithapplerestapi/generate-and-validate-tokens.md)