Token revocation and logout are two related concepts. Both can be called for a variety of similar reasons, such as a user logging off, a security breach, or a change in permissions. The primary difference lies in their scope of action.
Token revocation focuses on invalidating a specific authentication token while keeping the user's session active. On the other hand, when a user logs out, their session is completely terminated for all applications, and they must re-authenticate to access protected resources.
You can make a similar API call to the HyperID for either action:
POST /auth/realms/HyperID/protocol/openid-connect/logout HTTP/1.1Host:login.hypersecureid.comContent-Type:application/x-www-form-urlencodedContent-Length:98refresh_token=your.refresh.token&client_id=your_app_client_id&client_secret=your_app_client_secret
POST /auth/realms/HyperID/protocol/openid-connect/revoke HTTP/1.1Host:login.hypersecureid.comContent-Type:application/x-www-form-urlencodedContent-Length:98token=your.refresh.token&client_id=your_app_client_id&client_secret=your_app_client_secret
This API calls include the refresh token as the refresh_token parameter for Logout / as the token parameter for Revoke, the client_id and client_secret from your client's configuration settings (see to the Client Registration chapter for details).
Response
HTTP/1.1 200 OK
Both requests end with same simple response.
Below are examples of the implemented 'Logout' requests: