---
title: /oauth2/token/revoke
description: Endpoint defined in RFC 7009 Token Revocation to revoke access tokens and refresh tokens.
component: pingoneaic-api
page_id: pingoneaic-api:am-oauth2:oauth2-token-revoke-endpoint
canonical_url: https://developer.pingidentity.com/pingoneaic-api/am-oauth2/oauth2-token-revoke-endpoint.html
keywords: ["OAuth 2.0", "Scopes", "Grant Flow", "Endpoints", "Setup &amp; Configuration"]
---

# /oauth2/token/revoke

Endpoint defined in RFC 7009 [Token Revocation](https://www.rfc-editor.org/info/rfc7009) to revoke access tokens and refresh tokens.

When you revoke a refresh token, you revoke all tokens issued with the same authorization grant. If you got multiple access tokens for a single user with different authorization grants, you must revoke the tokens separately to invalidate each one.

Specify the realm in the request URL; for example:

```none
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/token/revoke
```

The revoke token endpoint supports the following parameters:

| Parameter               | Description                                                                                                      | Required                                                                                                                                     |
| ----------------------- | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| `client_assertion`      | A signed JSON Web Token (JWT) to use as client credentials.                                                      | Yes, for [JWT profile](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-jwt.html) authentication                        |
| `client_assertion_type` | The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`. | Yes, for [JWT profile](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-jwt.html) authentication                        |
| `client_id`             | Uniquely identifies the application making the request.                                                          | Yes                                                                                                                                          |
| `client_secret`         | The password for a confidential client.                                                                          | Yes, when authenticating with [Form parameters (HTTP POST)](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-form.html) |
| `token`                 | The access token or refresh token to revoke.                                                                     | Yes                                                                                                                                          |

The following example revokes a refresh token:

```bash
$ curl \
--request POST \
--user "myClient:mySecret" \
--data "client_id=myClient" \
--data "token=refresh-token" \
"https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/token/revoke"
{}
```