Token revocation
Invalidate the tokens and associated user authorizations for a user when they are no longer associated with your app.
URL
POST https://appleid.apple.com/auth/revokeResponse Codes
| Status | Reason | Type | Description |
|---|---|---|---|
| 200 | OK Content-Type: application/json | The request was successful; the provided token has been revoked successfully or was previously invalid. | |
| 400 | Bad Request Content-Type: application/json | ErrorResponse | The server was unable to process the request. See the error code description for more information about the underlying error. |
Discussion
In order to revoke authorization for a user, you must obtain a valid refresh token or access token. If you don’t have either token for the user, you can generate tokens when validating an authorization code. For more information about user tokens and creating client secrets, see Token validation.
To invalidate a user’s refresh token, invoke the revoke endpoint with the following HTTP POST method.
curl -v POST "https://appleid.apple.com/auth/revoke" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'token=REFRESH_TOKEN' \
-d 'token_type_hint=refresh_token'Additionally, to invalidate a user’s access token, use the following HTTP POST method.
curl -v POST "https://appleid.apple.com/auth/revoke" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'token=ACCESS_TOKEN' \
-d 'token_type_hint=access_token'For either token revocation request, the revoke endpoint returns a 200 response code without a response body after the server invalidates the token value, or if the token value was previously invalidated. If the response contains an error, please see ErrorResponse for the specific error code provided in the response body.
HTTP Body
The list of input parameters required for the server to invalidate the token.