Token Revocation and Logging Out

Explore how to revoke access and refresh tokens

Token revocation and logout are two related concepts. Both can be called for a variety of similar reasons, such as a user logging off, a security breach, or a change in permissions. The primary difference lies in their scope of action.

Token revocation focuses on invalidating a specific authentication token while keeping the user's session active. On the other hand, when a user logs out, their session is completely terminated for all applications, and they must re-authenticate to access protected resources.

You can make a similar API call to the HyperID for either action:

Logout Request

POST /auth/realms/HyperID/protocol/openid-connect/logout HTTP/1.1
Host: login.hypersecureid.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 98

refresh_token=your.refresh.token
&client_id=your_app_client_id
&client_secret=your_app_client_secret

Revoke Tokens Request

POST /auth/realms/HyperID/protocol/openid-connect/revoke HTTP/1.1
Host: login.hypersecureid.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 98

token=your.refresh.token
&client_id=your_app_client_id
&client_secret=your_app_client_secret

This API calls include the refresh token as the refresh_token parameter for Logout / as the token parameter for Revoke, the client_id and client_secret from your client's configuration settings (see to the Client Registration chapter for details).

Response

HTTP/1.1 200 OK

Both requests end with same simple response.

Below are examples of the implemented 'Logout' requests:

cURL

curl --location 'http://login.hypersecureid.com/auth/realms/HyperID/protocol/openid-connect/logout' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'refresh_token=your.refresh.token' \
--data-urlencode 'client_id=your_app_client_id' \
--data-urlencode 'client_secret=your_app_client_secret'

JavaScript

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/x-www-form-urlencoded");

var urlencoded = new URLSearchParams();
urlencoded.append("refresh_token", "your.refresh.token");
urlencoded.append("client_id", "your_app_client_id");
urlencoded.append("client_secret", "your_app_client_secret");

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: urlencoded,
  redirect: 'follow'
};

fetch("http://login.hypersecureid.com/auth/realms/HyperID/protocol/openid-connect/logout", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));java

NodeJS

const axios = require('axios');
const qs = require('qs');
let data = qs.stringify({
  'refresh_token': 'your.refresh.token',
  'client_id': 'your_app_client_id',
  'client_secret': 'your_app_client_secret' 
});

let config = {
  method: 'post',
  maxBodyLength: Infinity,
  url: 'http://login.hypersecureid.com/auth/realms/HyperID/protocol/openid-connect/logout',
  headers: { 
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  data : data
};

axios.request(config)
.then((response) => {
  console.log(JSON.stringify(response.data));
})
.catch((error) => {
  console.log(error);
});

Python

import http.client

conn = http.client.HTTPSConnection("login.hypersecureid.com")
payload = 'refresh_token=your.refresh.token&client_id=your_app_client_id&client_secret=your_app_client_secret'
headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
}
conn.request("POST", "/auth/realms/HyperID/protocol/openid-connect/logout", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))

C#

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "http://login.hypersecureid.com/auth/realms/HyperID/protocol/openid-connect/logout");
var collection = new List<KeyValuePair<string, string>>();
collection.Add(new("refresh_token", "your.refresh.token"));
collection.Add(new("client_id", "your_app_client_id"));
collection.Add(new("client_secret", "your_app_client_secret"));
var content = new FormUrlEncodedContent(collection);
request.Content = content;
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync()