AM 7.3.1


Endpoint defined in RFC 7009 Token Revocation to revoke access tokens and refresh tokens.

When you revoke a refresh token, you revoke all tokens issued with the same authorization grant. If you obtained multiple access tokens for a single user with different authorization grants, you must revoke the tokens separately to invalidate each one.

Specify the realm in the request URL; for example:

The revoke token endpoint supports the following parameters:

Parameter Description Required


A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication


The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication


Uniquely identifies the application making the request.



The password for a confidential client.

Yes, when authenticating with Form parameters (HTTP POST)


The access token or refresh token to revoke.


The following example revokes a refresh token:

$ curl \
--request POST \
--user "myClient:forgerock" \
--data "client_id=myClient" \
--data "token=<refresh-token>" \
Copyright © 2010-2024 ForgeRock, all rights reserved.